Apache Struts 1.x < 1.2.9 Denial of Service (CVE-2006-1547) vulnerability with arcotuds
Article ID: 406613
Updated On:
Products
Issue/Introduction
Below vulnerability is reported for AuthMinder arcotuds component.
Apache Struts 1.x < 1.2.9 Denial of Service (CVE-2006-1547)
Path : /apps/arcotuds/webroot/WEB-INF/lib/struts-1.2.8.jar
Installed version : 1.2.8
Fixed version : 1.2.9
Environment
CA Strong Authentication 9.1.x
Resolution
From the initial look, it seems like this vulnerability is not impacting. The Apache Struts version was already upgraded to Struts 2.5.14.1. Here's the confirmation for it: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/advanced-authentication/9-1/third-party-software-acknowledgments.html
In another research, The Admin Console and UDS Components of Advanced Authentication are no longer dependent upon Struts. This dependency is replaced by Tiles 3.x. Please read SP1 release notes here: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/advanced-authentication/9-1/release-notes-9-1/new-features-and-enhancements.html
Which means this vulnerability is certainly not impacting. As there is no need of Apache Struts.
Upon checking the arcotuds.war file, Apache Struts JAR is present. We have validated that the latest product release does not require Apache Struts library and can be considered safe for removal.
Feedback
