The Apache struts 1.2.8 that comes with the Siteminder Administrative UI 12.52 SP1 CR6 is affected by below CVEs:
Do you have any plans to upgrade the Apache struts version to a version that is not affected by the indicated CVEs?
There are no plans to upgrade this jar as it has been removed in higher versions (12.6 SP1 and above).
Apache struts is removed from Third Party Software section in 12.6 SP1 and above, and as such, the Administrative UI isn't affected by those vulnerabilities. Upgrade the AdminUI with the Policy Server and Policy Store.
Third-Party Software Acknowledgments