Is Spectrum vulnerable to CVE-2017-9805 vulnerability?

book

Article ID: 15898

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

CVE-2017-9805 vulnerability describes a possible Remote Code Execution (RCE) attack when using the Struts REST plugin with XStream handler to handle XML payloads. This is affecting applications which are built using Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12 MVC Framework that use the REST plugin. The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads.



Is Spectrum affected by this CVE-2017-9805 vulnerability?

Environment

All Spectrum versions

Resolution

No, Spectrum is not affected by this vulnerability. Spectrum does use Struts 2 MVC Framework but it doesn't use the REST plugin. The REST plugin jar is not shipped as part of Spectrum deployment.

Additional Information

https://struts.apache.org/docs/s2-052.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805