Search

GlobalSCAPE Knowledge Base

Mail Express® is NOT vulnerable to the Apache Commons Library exploit

Karla Marsh
Mail Express - DEPRECATED

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • Mail Express®, all versions

DISCUSSION

Mail Express is not vulnerable to the Apache Commons Library exploit, because Mail Express doesn’t use any of the vulnerable code paths.

As described at http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2015/al15-014-eng.aspx, there is a security vulnerability in the Apache Commons Library, which is used by Mail Express.

Globalscape’s Engineering team has validated that Mail Express uses the Apache Commons Library in question; however, it was determined that Mail Express does not use InvokerTransformer, which is the area of code that makes this vulnerability exploitable.

Globalscape is exploring two options: (1) Updating the Apache Commons Library to the latest version which mitigates the vulnerability or (2) removing the InvokerTransformer class from the library, as we are not using it.

Because Mail Express is not affected, customers may continue to use the product without concern. However, customers can upgrade to a later version of Mail Express (when available) to pass internal security audits or scans that check for the affected version of the Apache Commons Library.

A future update of Mail Express should include this change.

Details
Last Modified: 3 Months Ago
Last Modified By: kmarsh
Type: INFO
Article not rated yet.
Article has been viewed 44K times.
Options
Also In This Category
Tags