Is API Developer Portal vulnerable to CVE-2017-9805?

Document ID : KB000015791
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

There is a CVE known as CVE-2017-9805, which Red Hat describes as the following:

"The REST Plugin in Apache Struts2 is using a XStreamHandler with an instance of XStream for deserialization without any type filtering which could lead to Remote Code Execution when deserializing XML payloads. An attacker could use this flaw to execute arbitrary code or conduct further attacks."

Question:

Is API Developer Portal vulnerable to CVE-2017-9805? Does the API Developer Portal even use Apache Struts in the first place?

Environment:
This CVE affects Apache Struts. Question asked in reference to API Developer Portal, but this question could also be asked of the other CA API Management products such the CA API Gateway, CA Mobile API Gateway, and more.
Answer:

No, the CA API Developer Portal is not vulnerable to CVE-2017-9805 as Apache Struts is not used in the product. In fact, Apache Stuts is not used in the API Gateway or related products either, meaning that none of the CA API Management products are vulnerable to any Apache Struts-related CVE. Note: This may be subject to change in the future, but as of the time of this writing, no CA API Management products are actively including Apache Struts.

Additionally, Red Hat states the following on their page for CVE-2017-9805:

"This issue did not affect any of the Red Hat products as they did not include the Apache Struts 2 package."

Additional Information: