search cancel

Is CA Spectrum vulnerable to CVE-2018-11776 (Apache Struts Remote Code Execution)?

book

Article ID: 112642

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

(As taken from the vulnerability description CVE-2018-11776)

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution (CVE-2018-11776)  when using results with no namespace and in the same time, its upper action(s) have no or wildcard namespace.  The same possibility when using url tag which doesn't have value and action set and in same time, its upper action(s) have no or wildcard namespace.

Is CA Spectrum vulnerable to CVE-2018-11776 (Apache Struts Remote Code Execution)?

Environment

Spectrum 10.0
Spectrum 10.1.x
Spectrum 10.2.x
Spectrum 10.3.x

Resolution

CA Engineering have verified the vulnerability (CVE-2018-11776) and the issue is not reproducible due to CA Spectrum does not use empty action tags.
As an additional check Engineering have scanned the application for Expression Language Injection attack and nothing was found or reported.
Therefore as the results of this investigation, CA Spectrum is not vulnerable to CVE-2018-11776.

Additional Information

As part of our ongoing software commitment to provide the latest updates in the newest releases, we are scheduled to update Apache Struts to the latest version in Spectrum 10.3.1, but this is not because of vulnerability (CVE-2018-11776).