Struts 2 security vulnerability found in an APM application running in OpenShift.
search cancel

Struts 2 security vulnerability found in an APM application running in OpenShift.


Article ID: 143807


Updated On:


CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE DX Application Performance Management


APM Infrastructure Agent Release (Build 990045) is installed in OpenShift.

Nessus scan has revealed a vulnerability in the CA APM application running in OpenShift.


Nessus Scan Report:

“A remote web application uses a framework that is affected by code execution and file overwrite vulnerabilities.
The remote web application appears to use Struts 2, a web framework that uses XWork.
Due to flaws in multiple Struts2 'Interceptor' classes (CookieInterceptor, ParametersInterceptor, and DebuggingInterceptor)
that fail to properly sanitize user-supplied input, a remote attacker can run arbitrary Java code or overwrite
files on the remote host by sending a specially crafted HTTP request.           
Upgrade to Struts2 or later.           
CVE-2012-0392  “

This was verified using the following :  HTTP request :

GET / HTTP/1.1
Host: <hostname>.<>:32021
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
Cookie: dtCookie=1$F12DA13E08E954CF367802D373FCE28D
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

xxxx@<hostname> /xxxx:>oc exec -n xxxxx  caagent-nxnvf -- ss -tulpn|grep 32021

tcp    LISTEN     0      128      :::32021                :::*


  • Release: 10.7.0
  • Component: APM Agents


  • Per engineering, there is some issue and they have updated the image in the dockerHub with the fix. 



Download the updated version from dockerHub. 

If connecting with 10.7 EM, you need to pass this additional environmental variable on both the DaemonSet and Deployment definition of the YAML file 

- name: apmenv_introscope_agent_connection_compatibility_version  value: "10.7"