Is API Developer Portal vulnerable to CVE-2017-9805?

book

Article ID: 15791

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security API SECURITY CA API Gateway

Issue/Introduction

There is a CVE known as CVE-2017-9805, which Red Hat describes as the following:

"The REST Plugin in Apache Struts2 is using a XStreamHandler with an instance of XStream for deserialization without any type filtering which could lead to Remote Code Execution when deserializing XML payloads. An attacker could use this flaw to execute arbitrary code or conduct further attacks."



Is API Developer Portal vulnerable to CVE-2017-9805? Does the API Developer Portal even use Apache Struts in the first place?

Environment

This CVE affects Apache Struts. Question asked in reference to API Developer Portal, but this question could also be asked of the other CA API Management products such the CA API Gateway, CA Mobile API Gateway, and more.

Resolution

No, the CA API Developer Portal is not vulnerable to CVE-2017-9805 as Apache Struts is not used in the product. In fact, Apache Stuts is not used in the API Gateway or related products either, meaning that none of the CA API Management products are vulnerable to any Apache Struts-related CVE. Note: This may be subject to change in the future, but as of the time of this writing, no CA API Management products are actively including Apache Struts.

Additionally, Red Hat states the following on their page for CVE-2017-9805:

"This issue did not affect any of the Red Hat products as they did not include the Apache Struts 2 package."

Additional Information