Is the Apache vulnerability CVE-2017-5638 affecting my Client Automation installation?

book

Article ID: 16619

calendar_today

Updated On:

Products

CA Automation Suite for Data Centers - Configuration Automation CA Client Automation - Asset Management CA Client Automation - IT Client Manager CA Client Automation CA Client Automation - Remote Control CA Client Automation - Asset Intelligence CA Client Automation - Desktop Migration Manager CA Client Automation - Patch Manager

Issue/Introduction

Client Automation installation uses Apache Tomcat, so it can be affected by the vulnerability 'CVE-2017-5638'.



Is the Apache vulnerability CVE-2017-5638 affecting my Client Automation installation?

Environment

Client Automation 12.9 and above.

Resolution

From the Apache Struts 2 Documentation S2-045, affected software’s are Struts 2.3.5 - Struts 2.3.31 and Struts 2.5 - Struts 2.5.10. Client Automation makes use of Struts 1.1 framework. 

CVE-2017-5638 vulnerability report describes two Struts 2 framework classes which allow for the vulnerability (specifically the FileUploadInterceptor.java and LocalizedTextUtil.java classes). Client Automation currently makes use of the Struts 1.1, which do not make use the affected classes. The Struts-menu 2.3 library (though v2.3) is an independent library and the classes affected are not available in any Struts 1.x framework.

Therefore, Client Automation is not affected by this vulnerability. 

 

Additional Information

Welcome to the Apache Struts project

Apache Struts 2 Documentation S2-045

NATIONAL VULNERABILITY DATABASE

Attack: Apache Struts CVE-2017-5638