Are APM components impacted by any vulnerability for the Struts Framework?

Document ID : KB000015766
Last Modified Date : 03/09/2018
Show Technical Document Details
Introduction:

The Struts Framework has vulnerability issues:

1) Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads. 
https://struts.apache.org/docs/s2-052.html
Affected Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12

2) A high risk vulnerability has been reported in Apache Struts, which can be exploited by malicious actors to compromise vulnerable systems through a RCE (Remote Code Execution) attack.
https://cwiki.apache.org/confluence/display/WW/S2-057 
Affected Struts 2.3 - Struts 2.3.34, Struts 2.5 - Struts 2.5.16

Question:

 Are APM components impacted by any vulnerability for the Apache Struts ?

Environment:
APM 9.x and 10.x
Answer:

Overall APM 9.7 to 10.7+ are not impacted by the above Apache Struts vulnerabilities as it doesn't use any of the problematic 2.x versions

1) The APM Webview login page and CEM Tess uses Struts Framework struts version 1.2.7 and 1.2.4 however APM Development team has removed struts dependency starting from 10.5.2 Hotfix # 35.

NOTE: Struts-menu-2.3.jar is Tag library which is not related to struts 2 framework. This Tag library only  used at client side to render the menus. No user input will be send to server through these menus.

2) The APM Command Center (ACC) and Agents do not use struts library