Struts Vulnerability - CVE-2020-17530 and (CVE-2021-31805) and CVE-2019-0230 and its impact on Identity Manager

search cancel

Struts Vulnerability - CVE-2020-17530 and (CVE-2021-31805) and CVE-2019-0230 and its impact on Identity Manager

book

Article ID: 220339

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Suite

Issue/Introduction

Struts Vulnerability - CVE-2020-17530 (and CVE-2021-31805) and CVE-2019-0230 and its impact on Identity Manager

Is Identity Manager vulnerable to CVE-2020-17530 (and CVE-2021-31805) or CVE-2019-0230?

https://struts.apache.org/announce.html
https://cwiki.apache.org/confluence/display/WW/S2-061

https://cwiki.apache.org/confluence/display/WW/S2-062
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17530
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-31805

Environment

Release : 14.2, 14.3, 14.4

Component : IdentityMinder(Identity Manager)

Resolution

Identity Manager is safe from the CVE-2020-17530 (and CVE-2021-31805) and CVE-2019-0230 struts2 vulnerability.

The vulnerability CVE-2020-17530 (and CVE-2021-31805) and CVE-2019-0230 impacts struts2: using forced OGNL evaluation on untrusted user input with double evaluation, leading to a RCE and security degradation vulnerability.

Identity Manager's usage of OGNL expression(s) are strictly for getting data from server and does not send, set or allow for user input for double evaluation.

Feedback

thumb_up Yes

thumb_down No