Apache Struts version upgrade in WAM-UI

book

Article ID: 16104

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction



The Apache struts 1.2.8 that comes with the Siteminder Administrative UI 12.52 SP1 CR6 is affected by below CVEs:

CVE-2016-1182

CVE-2016-1181

CVE-2015-0899 

CVE-2014-0114

https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/Apache-Struts.html

 

 

Do you have any plans to upgrade the Apache struts version to a version that is not affected by the indicated CVEs?

Environment

12.52 SP1 CR6 AdminUi on Redhat 6 64bits

Resolution

There are no plans to upgrade this jar as it has been removed in higher versions (12.6 SP1 and above). 

Apache struts is removed from Third Party Software section in 12.6 SP1 and above, and as such, the Administrative UI isn't affected by those vulnerabilities. Upgrade the AdminUI with the Policy Server and Policy Store.

 

Additional Information

Third-Party Software Acknowledgments

12.6:

https://docops.ca.com/ca-single-sign-on/12-6-01/en/third-party-software-acknowledgments/ 

12.7:

https://docops.ca.com/ca-single-sign-on/12-7/en/third-party-software-acknowledgments