Apache struts vulnerability

Document ID : KB000013747
Last Modified Date : 14/02/2018
Show Technical Document Details

Apache Struts 2.x before, 2.3.24.x before, and 2.3.28.x before, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.




Is Apache Struts vulnerability (CVE-2016-3081) affected to the Siteminder Installation?

12.52 SP1 12.52 SP212.6 SP1

1.2.8 jar in 12.52 SP1 and struts 1.2.9 in 12.52 SP2 & 12.6 SP1 are shipped with CA-SSO.

This jar is not used by WAMUI but there is another application in JBoss that we ship called “sitemindermanage” that has this struts.jar in its WEB-INF/lib. 

This jar can be removed if “sitemindermanage” application is not used.


Therefore, the vulnerability does not apply because the problem reported is in struts 2 and not in struts 1.

Additional Information:

TEC601196 - How to access the SiteMinder environment for AdminUI?