Dell has begun working to patch a late-2023 critical vulnerability in Apache Struts 2, which has been inherited by a number of its Avamar and Integrated Data Protection Appliance (IDPA) products.
Avamar is a suite of data protection software that supports physical, virtual, and cloud environments.
In December, the Apache Foundation disclosed CVE-2023-50164, advising all users to upgrade to Struts 2.5.33 or Struts 6.3.0.2 or greater. Within days, proof-of-concept code was published.
“An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file," Apache’s advisory stated.
That sent a number of vendors on a hunt for whether their products had inherited the bug.
Dell has joined peers such as Cisco in advising of its vulnerability to CVE-2023-50164.
So far, fixes are available for various Avamar products in the version 19.10 branch; Avamar Virtual Edition for VMware ESXi and vSphere; and IDPA PowerProtect DP Series version 2.7.4 and older.
Other Avamar versions are awaiting a fix, expected in April.
