Is APM Affected by the Apache Struts 2 CVE-2017-5638 vulnerability?

book

Article ID: 6207

calendar_today

Updated On:

Products

APP PERF MANAGEMENT CA Application Performance Management Agent (APM / Wily / Introscope) CUSTOMER EXPERIENCE MANAGER INTROSCOPE

Issue/Introduction

    The CVE-2017-5638 vulnerability was recently detected for the Apache Struts library: https://cwiki.apache.org/confluence/display/WW/S2-045 . Does this vulnerability affect any version of APM?

Environment

All supported versions of APM (up to release APM 10.5.1).

Resolution

     The CVE-2017-5638 vulnerability report describes two Struts 2 framework classes which allow for the vulnerability (specifically the  FileUploadInterceptor.java and LocalizedTextUtil.java classes).

APM currently makes use of the Struts 1.1, Struts 1.2.7 and Struts-menu2.3 frameworks, which do not make use the affected classes. The Struts-menu 2.3 library(though v2.3) is an independent library and the classes affected are not available in any Struts 1.x framework. Therefore APM is not affected by this vulnerability.

Additional Information

     As always, please contact CA Support if you have any further questions.