There is a CVE known as CVE-2017-9805, which Red Hat describes as the following:
"The REST Plugin in Apache Struts2 is using a XStreamHandler with an instance of XStream for deserialization without any type filtering which could lead to Remote Code Execution when deserializing XML payloads. An attacker could use this flaw to execute arbitrary code or conduct further attacks."
Is API Developer Portal vulnerable to CVE-2017-9805? Does the API Developer Portal even use Apache Struts in the first place?
No, the CA API Developer Portal is not vulnerable to CVE-2017-9805 as Apache Struts is not used in the product. In fact, Apache Stuts is not used in the API Gateway or related products either, meaning that none of the CA API Management products are vulnerable to any Apache Struts-related CVE. Note: This may be subject to change in the future, but as of the time of this writing, no CA API Management products are actively including Apache Struts.
Additionally, Red Hat states the following on their page for CVE-2017-9805:
"This issue did not affect any of the Red Hat products as they did not include the Apache Struts 2 package."