THE INFORMATION IN THIS ARTICLE APPLIES TO:
- Mail Express®, all versions
Mail Express is not vulnerable to the Apache Commons Library exploit, because Mail Express doesn’t use any of the vulnerable code paths.
As described at http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2015/al15-014-eng.aspx, there is a security vulnerability in the Apache Commons Library, which is used by Mail Express.
Globalscape’s Engineering team has validated that Mail Express uses the Apache Commons Library in question; however, it was determined that Mail Express does not use InvokerTransformer, which is the area of code that makes this vulnerability exploitable.
Globalscape is exploring two options: (1) Updating the Apache Commons
Library to the latest version which mitigates the vulnerability or (2)
removing the InvokerTransformer class from the library, as we are not
Because Mail Express is not affected, customers may continue to use the product without concern. However, customers can upgrade to a later version of Mail Express (when available) to pass internal security audits or scans that check for the affected version of the Apache Commons Library.
A future update of Mail Express should include this change.