Veritas Technologies LLC has acknowledged that the abovementioned issue is present in the current version(s) listed under the Product(s) Section of this article. Veritas Technologies LLC is committed to product quality and satisfied customers.

There are no plans to address this issue by way of a patch or hotfix in the current or previous versions of the software at the present time. However, the issue is currently scheduled to be addressed in the next major revision of the product. Please be sure to refer back to this document periodically as any changes to the status of the defect will be reflected here. Please note that Veritas Technologies LLC reserves the right to remove any fix from the targeted release if it does not pass quality assurance tests. Veritas’ plans are subject to change and any action taken by you based on the above information or your reliance upon the above information is made at your own risk.

Please contact your Veritas Sales representative or the Veritas Sales group for upgrade information including upgrade eligibility to the release containing the resolution for this issue. For information on how to contact Veritas Sales, please see http://www.veritas.com

All eDiscovery versions from the 7.x series through 8.3 utilize IBM Lotus Notes client version 8.5.2 for NSF and Domino collection and processing.  This version contains the following Apache Struts vulnerabilities:

CVE-2016-1181:
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.

CVE-2016-1182:
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.

JIRA: ESA-42822