Apache Struts CVE-2023-34396 and CVE-2023-34149 applicability for Service Management
search cancel

Apache Struts CVE-2023-34396 and CVE-2023-34149 applicability for Service Management

book

Article ID: 401189

calendar_today

Updated On:

Products

CA Service Management - Service Desk Manager CA Service Desk Manager CA Process Automation Base Process Automation Manager CA Service Catalog CA IT Asset Manager CA IT Asset Manager Asset Portfolio Management ASSET PORTFOLIO MGMT- SERVER CA Service Management - Asset Portfolio Management

Issue/Introduction

Concerning these two vulnerabilities:

Vulnerability 1:  plugin 177225 - Apache Struts < 2.5.31 / 6.1.2.1 Denial of Service (S2-064)
Related to:  CVE-2023-34396

Vulnerability 2:  plugin 177229 - Apache Struts 2.0.0 < 6.1.2.1 Denial of Service (S2-063)
Related to:  CVE-2023-34149

Is Service Management affected by the above?

Environment

Release:  17.4 and higher
CA Service Management

Resolution

Service Management 17.4 RU4:  the struts jar file present is struts2-core-2.5.33.jar, located under the following two locations, which will address both vulnerabilities

C:\Program Files (x86)\CA\Service Desk Manager\bopcfg\www\CATALINA_BASE\webapps\AMS\WEB-INF\lib
C:\Program Files (x86)\CA\SharedComponents\AMS\TomCat\webapps\AMS\WEB-INF\lib

Additional Information

There are no struts jar files present in Jasper 9.0 and above, or in PAM 4.4 and above.

CA Service Catalog previously held an older struts.jar file under the EEM Fulfillment functionality, which was removed as of 17.4 RU4 as it was no longer needed.

Powered by Wolken Software