What are the impacts of the CVE-2023-50164 Apache Struts on Siteminder products (1)(2)?

Release: Applicable for all supported versions.

Component: SiteMinder AdminUI.

SiteMinder product suite is "NOT" impacted by the vulnerability " CVE-2023-50164 ".

The struts.jar is not being used in any of the SiteMinder components.

• Starting with "12.8SP3" release, the struts jar files have been removed from SiteMinder, except the AdminUI component under the following path:
  
  <Install_home>/adminui/standalone/deployments/iam_siteminder.ear/management_console.war/WEB-INF/lib/struts2-core-2.5.17.jar
  
  
• If the struts jar exists, stop the AdminUI service and remove the jar file and start the AdminUI service back:
  
  "struts2-core-xxx.jar" file from <Install_home>/adminui/standalone/deployments/iam_siteminder.ear/management_console.war/WEB-INF/lib folder.
  
  
• Ensure stopping the AdminUI service before removing the above mentioned jar.

The "struts2-core-2.5.17.jar" or any version of "struts2-core-xxx.jar" can be that way removed from the Admin UI location.

Note also that there's no need to upgrade the AdminUI to the latest non-vulnerable release. Just "remove" the mentioned jar from the AdminUI location.

There will be NO limitations in the AdminUI console even after removing this struts2-core-xxx.jar from the Admin UI location.

Removal of any version of struts2-core-xxx.jar file from the Admin UI location does not have any functional impact on AdminUI.

As always, it is recommended to take the backup of the "struts2-core-2.5.17.jar" (struts2-core-xxx.jar) file before removing it. Test this in a lower TEST environment first and test all the possible use cases, before making the same changes in the higher environments.

1. New RCE vulnerability in Apache Struts 2 fixed, upgrade ASAP (CVE-2023-50164)
   
   
2. CVE-2023-50164 Detail