Client Automation 14.5

https://nvd.nist.gov/vuln/detail/CVE-2023-50164

Client Automation uses Struts 2.5.31 for Web Admin Console and Struts 2.5.30 for CIC Manager & AMS which is vulnerable to RCE attack. https://nvd.nist.gov/vuln/detail/CVE-2023-50164

Long Term Remediation: Will be delivered as part of 14.5 CU7

Short Term Remediation:

Web Admin Console and AMS:

1. Start command prompt and type caf stop tomcat
2. Download the struts-2.5.33-min-lib.zip from Apache website :- https://struts.apache.org/download.cgi#struts2533
3. Extract struts-2.5.33-min-lib.zip and copy the struts2-core-2.5.33.jar from the extracted folder struts-2.5.33-min-lib\struts-2.5.33\lib .
4. Backup and remove the existing struts2-core-2.5.XX.jar (example struts2-core-2.5.31.jar) and paste the struts2-core-2.5.33.jar at Web Console\webapps\AMS\WEB-INF\lib and Web Console\webapps\wac\WEB-INF\lib directories.
5. Run caf start tomcat to start Web Admin Console.

CIC Manager for offline patch management:

1. Run CA\SC\CIC\Tomcat\bin\ShutdownCICManager.bat
2. Download the struts-2.5.33-min-lib.zip from Apache website :- https://struts.apache.org/download.cgi#struts2533
3. Extract struts-2.5.33-min-lib.zip and copy the struts2-core-2.5.33.jar from the extracted folder struts-2.5.33-min-lib\struts-2.5.33\lib .
4. Backup and remove the existing struts2-core-2.5.XX.jar (example struts2-core-2.5.30.jar) and paste the struts2-core-2.5.33.jar at CA\SC\CIC\Tomcat\webapps\CICManager\WEB-INF\lib directory.
5. Go to CA\SC\CIC\Tomcat\bin and run LaunchCICManager.bat.

This KB will be updated on a continuous basis as the situation evolves.