Are APM components impacted by any vulnerability for the Struts Framework?

book

Article ID: 15766

calendar_today

Updated On:

Products

APP PERF MANAGEMENT CA Application Performance Management Agent (APM / Wily / Introscope) CUSTOMER EXPERIENCE MANAGER INTROSCOPE

Issue/Introduction

The Struts Framework has vulnerability issues:

1) Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads. 
https://struts.apache.org/docs/s2-052.html
Affected Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12

2) A high risk vulnerability has been reported in Apache Struts, which can be exploited by malicious actors to compromise vulnerable systems through a RCE (Remote Code Execution) attack.
https://cwiki.apache.org/confluence/display/WW/S2-057 
Affected Struts 2.3 - Struts 2.3.34, Struts 2.5 - Struts 2.5.16



 Are APM components impacted by any vulnerability for the Apache Struts ?

Environment

APM 9.x and 10.x

Resolution

Overall APM 9.7 to 10.7+ are not impacted by the above Apache Struts vulnerabilities as it doesn't use any of the problematic 2.x versions

1) The APM Webview login page and CEM Tess uses Struts Framework struts version 1.2.7 and 1.2.4 however APM Development team has removed struts dependency starting from 10.5.2 Hotfix # 35.

NOTE: Struts-menu-2.3.jar is Tag library which is not related to struts 2 framework. This Tag library only  used at client side to render the menus. No user input will be send to server through these menus.

2) The APM Command Center (ACC) and Agents do not use struts library