Is CA Spectrum vulnerable to CVE-2018-11776 (Apache Struts Remote Code Execution)?

Document ID : KB000112642
Last Modified Date : 31/08/2018
Show Technical Document Details
Introduction:
(As taken from the vulnerability description CVE-2018-11776)

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution (CVE-2018-11776)  when using results with no namespace and in the same time, its upper action(s) have no or wildcard namespace.  The same possibility when using url tag which doesn't have value and action set and in same time, its upper action(s) have no or wildcard namespace.
Question:
Is CA Spectrum vulnerable to CVE-2018-11776 (Apache Struts Remote Code Execution)?
Environment:
Spectrum 10.0
Spectrum 10.1.x
Spectrum 10.2.x
Spectrum 10.3.x
Answer:
CA Engineering have verified the vulnerability (CVE-2018-11776) and the issue is not reproducible due to CA Spectrum does not use empty action tags.
As an additional check Engineering have scanned the application for Expression Language Injection attack and nothing was found or reported.
Therefore as the results of this investigation, CA Spectrum is not vulnerable to CVE-2018-11776.
Additional Information:
As part of our ongoing software commitment to provide the latest updates in the newest releases, we are scheduled to update Apache Struts to the latest version in Spectrum 10.3.1, but this is not because of vulnerability (CVE-2018-11776).