Struts Vulnerability - CVE-2020-17530 and its impact on Identity Manager

book

Article ID: 220339

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

Struts Vulnerability - CVE-2020-17530 and its impact on Identity Manager

Is Identity Manager vulnerable to CVE-2020-17530?

https://struts.apache.org/announce.html
https://cwiki.apache.org/confluence/display/WW/S2-061
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17530

Environment

Release : 14.2, 14.3, 14.4

Component : IdentityMinder(Identity Manager)

Resolution

Identity Manager is safe from the CVE-2020-17530 struts2 vulnerability. 

​The vulnerability CVE-2020-17530 impacts struts2: using forced OGNL evaluation on untrusted user input with double evaluation, leading to a RCE and security degradation vulnerability.​

Identity Manager's usage of OGNL expression(s) are strictly for getting data from server and does not send, set or allow for user input for double evaluation.