Siteminder and Struts CVE-2023-50164.
Article ID: 277331
Updated On:
Products
Issue/Introduction
This article discuss CVE-2023-50164 impacting apache struts as described in the below articles and its impact on Siteminder products.
Environment
Release: Applicable to all supported SiteMinder releases.
Component: CA SiteMinder (CA Single Sign-On).
Resolution
We are confirming that the Siteminder suite is " NOT " impacted by the vulnerability " CVE-2023-50164 " as struts.jar is not being used in any of the Siteminder components.
- Starting with " 12.8 SP3 " release, the struts jar files have been removed from Siteminder except the AdminUI component under the following path.
Location: <Install_home>/adminui/standalone/deployments/iam_siteminder.ear/management_console.war/WEB-INF/lib/struts2-core-2.5.17.jar
- If the struts jar exists, please stop the AdminUI service and remove the jar file and start the AdminUI service back.
Location: " struts2-core-xxx.jar " file from <Install_home>/adminui/standalone/deployments/iam_siteminder.ear/management_console.war/WEB-INF/lib folder.
- Again, kindly make sure and stop the AdminUI service before removing the above mentioned jar.
Customers can just "remove" the "struts2-core-2.5.17.jar" or any version of " struts2-core-xxx.jar " from the Admin UI location.
Please note that we are NOT suggesting customers upgrade it to the latest non-vulnerable release and again, we are suggesting to "remove" it from the AdminUI location.
There will be NO limitations in the AdminUI console even after removing this struts2-core-xxx.jar from the Admin UI location.
Removal of any version of struts2-core-xxx.jar file from the Admin UI location does not have any functional impact on AdminUI.
As always, we highly recommend customers to take the backup of the "struts2-core-2.5.17.jar" (struts2-core-xxx.jar) file before removing it and please test this in a lower TEST environment first and test all the possible use cases at your end before making the same changes in your higher environments.
Feedback
