Apache Struts version upgrade in WAM-UI

Document ID : KB000016104
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

The Apache struts 1.2.8 that comes with the Siteminder Administrative UI 12.52 SP1 CR6 is affected by below CVEs:

CVE-2016-1182

CVE-2016-1181

CVE-2015-0899 

CVE-2014-0114

https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/Apache-Struts.html

 

 

Do you have any plans to upgrade the Apache struts version to a version that is not affected by the indicated CVEs?

Environment:
12.52 SP1 CR6 AdminUi on Redhat 6 64bits
Answer:

There are no plans to upgrade this jar as it has been removed in higher versions (12.6 SP1 and above). 

Apache struts is removed from Third Party Software section in 12.6 SP1 and above, and as such, the Administrative UI isn't affected by those vulnerabilities. Upgrade the AdminUI with the Policy Server and Policy Store.

 

Additional Information: