Siteminder Administrative UI Java Struts Vulnerabilities
Article ID: 76230
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
AXIOMATICS POLICY SERVER
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
We've found a vulnerability in AdminUI that runs the Java Struts component.
In facts, Siteminder Administrative UI is using Java Struts. The used version for 12.52 SP1 CR6 AdminUi is 1.2.8 which was published in 2006.
There are several reported vulnerabilities regarding this framework.
https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/Apache-Struts.html
We need a secure current version deployed for AdminUI. How can we solve it?
In facts, Siteminder Administrative UI is using Java Struts. The used version for 12.52 SP1 CR6 AdminUi is 1.2.8 which was published in 2006.
There are several reported vulnerabilities regarding this framework.
https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/Apache-Struts.html
We need a secure current version deployed for AdminUI. How can we solve it?
Environment
12.52 - 12.52 SP1 CR9
any supported operating system
Resolution
Workaround:
This jar is not used by AdminUI but there is another application in JBoss that we ship called “sitemindermanage” that has this struts.jar in its WEB-INF/lib.
So, you can take a backup of this file and safely delete the jar if you are not using “sitemindermanage” application
The "/iam/sitemindermanage" application is not used for Single Sign-On Adminstration.
It is part of the IAM Framework so it came bundled together but it is not used in Single SIgn-On Administration.
So, you should have no impact even when you disable that feature.
If you remove struts jar file, you will end up with an exception as shown below during WAMUI startup. But this will not affect our WAMUI functionality.
2017-09-14 06:07:34,283 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/iam/sitemindermanage]] (main) Servlet /iam/sitemindermanage threw load() exception
java.lang.ClassNotFoundException: org.apache.struts.action.ActionServlet
at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
at org.jboss.web.tomcat.service.TomcatInjectionContainer.newInstance(TomcatInjectionContainer.java:262)
at org.jboss.web.tomcat.service.TomcatInjectionContainer.newInstance(TomcatInjectionContainer.java:256)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1006)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:950)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4122)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4421)
at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeployInternal(TomcatDeployment.java:310)
at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeploy(TomcatDeployment.java:142)
at org.jboss.web.deployers.AbstractWarDeployment.start(AbstractWarDeployment.java:461)
at org.jboss.web.deployers.WebModule.startModule(WebModule.java:118)
at org.jboss.web.deployers.WebModule.start(WebModule.java:97)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)
This jar is not used by AdminUI but there is another application in JBoss that we ship called “sitemindermanage” that has this struts.jar in its WEB-INF/lib.
So, you can take a backup of this file and safely delete the jar if you are not using “sitemindermanage” application
The "/iam/sitemindermanage" application is not used for Single Sign-On Adminstration.
It is part of the IAM Framework so it came bundled together but it is not used in Single SIgn-On Administration.
So, you should have no impact even when you disable that feature.
If you remove struts jar file, you will end up with an exception as shown below during WAMUI startup. But this will not affect our WAMUI functionality.
2017-09-14 06:07:34,283 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/iam/sitemindermanage]] (main) Servlet /iam/sitemindermanage threw load() exception
java.lang.ClassNotFoundException: org.apache.struts.action.ActionServlet
at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
at org.jboss.web.tomcat.service.TomcatInjectionContainer.newInstance(TomcatInjectionContainer.java:262)
at org.jboss.web.tomcat.service.TomcatInjectionContainer.newInstance(TomcatInjectionContainer.java:256)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1006)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:950)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4122)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4421)
at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeployInternal(TomcatDeployment.java:310)
at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeploy(TomcatDeployment.java:142)
at org.jboss.web.deployers.AbstractWarDeployment.start(AbstractWarDeployment.java:461)
at org.jboss.web.deployers.WebModule.startModule(WebModule.java:118)
at org.jboss.web.deployers.WebModule.start(WebModule.java:97)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)
Additional Information
For Single Sign on 12.6-12.8, please see the following KB Article.
Remove struts.jar file in AdminUI 12.7 or 12.8
https://comm.support.ca.com/kb/upgrade-version-of-struts-jar-file-in-adminui/kb000109834
Feedback
Powered by
