Is the Apache vulnerability CVE-2017-5638 affecting my Client Automation installation?

Document ID : KB000016619
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Client Automation installation uses Apache Tomcat, so it can be affected by the vulnerability 'CVE-2017-5638'.

Question:

Is the Apache vulnerability CVE-2017-5638 affecting my Client Automation installation?

Environment:
Client Automation 12.9 and above.
Answer:

From the Apache Struts 2 Documentation S2-045, affected software’s are Struts 2.3.5 - Struts 2.3.31 and Struts 2.5 - Struts 2.5.10. Client Automation makes use of Struts 1.1 framework. 

CVE-2017-5638 vulnerability report describes two Struts 2 framework classes which allow for the vulnerability (specifically the FileUploadInterceptor.java and LocalizedTextUtil.java classes). Client Automation currently makes use of the Struts 1.1, which do not make use the affected classes. The Struts-menu 2.3 library (though v2.3) is an independent library and the classes affected are not available in any Struts 1.x framework.

Therefore, Client Automation is not affected by this vulnerability. 

 

Additional Information:

Welcome to the Apache Struts project

Apache Struts 2 Documentation S2-045

NATIONAL VULNERABILITY DATABASE

Attack: Apache Struts CVE-2017-5638