search cancel

Are APM components impacted by any vulnerability for the Struts Framework?


Article ID: 15766


Updated On:


CA Application Performance Management Agent (APM / Wily / Introscope) INTROSCOPE


The Struts Framework has vulnerability issues:

1) Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads.
Affected Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12

2) A high risk vulnerability has been reported in Apache Struts, which can be exploited by malicious actors to compromise vulnerable systems through a RCE (Remote Code Execution) attack. 
Affected Struts 2.3 - Struts 2.3.34, Struts 2.5 - Struts 2.5.16

 Are APM components impacted by any vulnerability for the Apache Struts ?


APM 9.x and 10.x


Overall APM 9.7 to 10.7+ are not impacted by the above Apache Struts vulnerabilities as it doesn't use any of the problematic 2.x versions

1) The APM Webview login page and CEM Tess uses Struts Framework struts version 1.2.7 and 1.2.4 however APM Development team has removed struts dependency starting from 10.5.2 Hotfix # 35.

NOTE: Struts-menu-2.3.jar is Tag library which is not related to struts 2 framework. This Tag library only  used at client side to render the menus. No user input will be send to server through these menus.

2) The APM Command Center (ACC) and Agents do not use struts library