CA SDM AMS Apache Struts Vulnerability - CVE-2023-50164
search cancel

CA SDM AMS Apache Struts Vulnerability - CVE-2023-50164

book

Article ID: 277179

calendar_today

Updated On:

Products

CA Service Desk Manager CA Service Management - Service Desk Manager

Issue/Introduction

CA SDM AMS uses Apache Struts version 2.5.30 in 17.3 RU23 and version 2.5.31 in 17.4 RU1.

These versions are vulnerable to RCE attack

Environment

CA Service Desk Manager 17.2, 17.3 RU23 and 17.4 RU1

All Supported Windows Operating Systems

Resolution

Long term remediation

The upgrade of Apache Struts to version 2.5.33 to be delivered in CA SDM 17.4 RU2

Short term remediation

1. Download struts-2.5.33-min-lib.zip from Apache website

2. Extract the downloaded struts-2.5.33-min-lib ZIP file and copy the struts2-core-2.5.33.jar from the extracted folder struts-2.5.33-min-lib\struts-2.5.33\lib

3. Remove the existing struts2-core-2.5.31.jar and paste the updated struts2-core-2.5.33.jar in the following folder

NX_ROOT\bopcfg\www\CATALINA_BASE\webapps\AMS\WEB-INF\lib folder. 

4. Restart the CA SDM Service from the Windows Services console

As always, we recommend testing all changes in a non-PROD environment first.

Additional Information

If the files in your Service Desk installation that are flagged with this vulnerability are found in the <NXROOT>\Temp folder, these are from previous versions of Service Desk and can be safely deleted.