Is APM Affected by the Apache Struts 2 CVE-2017-5638 vulnerability?

Document ID : KB000006207

Last Modified Date : 14/02/2018

Issue:

The CVE-2017-5638 vulnerability was recently detected for the Apache Struts library: https://cwiki.apache.org/confluence/display/WW/S2-045 . Does this vulnerability affect any version of APM?

Environment:

All supported versions of APM (up to release APM 10.5.1).

Resolution:

The CVE-2017-5638 vulnerability report describes two Struts 2 framework classes which allow for the vulnerability (specifically the FileUploadInterceptor.java and LocalizedTextUtil.java classes).

APM currently makes use of the Struts 1.1, Struts 1.2.7 and Struts-menu2.3 frameworks, which do not make use the affected classes. The Struts-menu 2.3 library(though v2.3) is an independent library and the classes affected are not available in any Struts 1.x framework. Therefore APM is not affected by this vulnerability.

Additional Information:

As always, please contact CA Support if you have any further questions.

Was this information helpful?