Is APM Affected by the Apache Struts 2 CVE-2017-5638 vulnerability?

Document ID : KB000006207
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

    The CVE-2017-5638 vulnerability was recently detected for the Apache Struts library: https://cwiki.apache.org/confluence/display/WW/S2-045 . Does this vulnerability affect any version of APM?

Environment:
All supported versions of APM (up to release APM 10.5.1).
Resolution:

     The CVE-2017-5638 vulnerability report describes two Struts 2 framework classes which allow for the vulnerability (specifically the  FileUploadInterceptor.java and LocalizedTextUtil.java classes).

APM currently makes use of the Struts 1.1, Struts 1.2.7 and Struts-menu2.3 frameworks, which do not make use the affected classes. The Struts-menu 2.3 library(though v2.3) is an independent library and the classes affected are not available in any Struts 1.x framework. Therefore APM is not affected by this vulnerability.

Additional Information:

     As always, please contact CA Support if you have any further questions.