Apache struts vulnerability

Document ID : KB000013747
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3081

 

Question:

Is Apache Struts vulnerability (CVE-2016-3081) affected to the Siteminder Installation?

Environment:
12.52 SP1 12.52 SP212.6 SP1
Answer:

1.2.8 jar in 12.52 SP1 and struts 1.2.9 in 12.52 SP2 & 12.6 SP1 are shipped with CA-SSO.

This jar is not used by WAMUI but there is another application in JBoss that we ship called “sitemindermanage” that has this struts.jar in its WEB-INF/lib. 

This jar can be removed if “sitemindermanage” application is not used.

 

Therefore, the vulnerability does not apply because the problem reported is in struts 2 and not in struts 1.

Additional Information:

TEC601196 - How to access the SiteMinder environment for AdminUI? 

https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec601196.html