Are APM components impacted by any vulnerability for the Struts Framework?

Document ID : KB000015766
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

 The Struts Framework has the vulnerability as stated by Apache -- Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads. Details are in https://struts.apache.org/docs/s2-052.html.

  Note that APM components use Struts Framework, but are not susceptible to this vulnerability.

Question:

 Are APM components impacted by any vulnerability for the Struts Framework?

Environment:
APM 10.xApache
Answer:

The APM codebase has couple of binaries related to Struts, those are struts 1.1, struts 1.2.7 and struts-menu2.3 jar.

The "XStreamHandler" class (which is mentioned in the statement) is not being used by any of the jars and corresponding versions mentioned above.

The vulnerability which is mentioned in the issue has been found in Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12, but the APM components are not using those.

Considering the above information, APM components are not susceptible to this vulnerability.

Additional Information:

 In addition, APM components use Struts 1.2.7 and for login/authentication only.