Apache Struts 2.5.17 vulnerability in Siteminder AdminUI

book

Article ID: 225516

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

 

 

"struts2-core-2.5.17.jar" ships with the Siteminder r12.8.6 AdminUI.  There are published CVE's for 'struts2-core-2.5.17' which are resolved with version 2.5.26.

----------------------------------------

Plugin Output: 
  Path              : /opt/CA/smadminui/siteminder/adminui/standalone/deployments/iam_siteminder.ear/management_console.war/WEB-INF/lib/struts2-core-2.5.17.jar

  Installed version : 2.5.17
  Fixed version     : 2.5.26

----------------------------------------

 

 

 

 

Cause

Here is a list of CVE's:

==========================
CVE-2020-17530 Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

-------------------------------

CVE-2019-0233 An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.

Affected software : Apache Struts 2.0.0 - Struts 2.5.20.

-------------------------------

CVE-2019-0230 Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Affected software : Apache Struts 2.0.0 - Struts 2.5.20.
==========================

Environment

Release : 12.8.6 and older

Component : SITEMINDER WAM UI

Resolution

The struts2-core-2.5.17.jar is being using by management console.war. This  war is not being used by Sigeminder. This war is being shipped by IAM framework. Siteminder is planning to remove  struts2-core-2.5.17.jar in te  12.8.7 release of the AdminUI. 

In 12.8.4 we removed the module "IM_Management_Console" (management_console.war) information from the 'application.xml' & 'jboss-deployment-structure.xml' located in:

\CA\siteminder\standalone\deployments\iam_siteminder.ear\META-INF . 

To disable Apache Struts from the r12.8.3 and older Siteminder AdminUI:

1) Back-up "struts2-core-2.5.17.jar" then delete it, or rename it (e.g. "struts2-core-2.5.17.jar.BAK").

2) Restart the adminui.

3) Perform the CURD operations (Create, Update, Read, Delete) in the Policy Store to verify there are no issues.