Siteminder Administrative UI Java Struts Vulnerabilities

Document ID : KB000076230
Last Modified Date : 03/04/2018
Show Technical Document Details
Issue:
We've found a vulnerability in AdminUI that runs the Java Struts component. 

In facts, Siteminder Administrative UI is using Java Struts. The used version for 12.52 SP1 CR6 AdminUi is 1.2.8 which was published in 2006. 

There are several reported vulnerablities regarding this framework. 

https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/Apache-Struts.html 

All previous 2.5.x releases also have a severe vulnerability: 
https://struts.apache.org/docs/s2-052.html 

We need a secure current version depoyed for AdminUI. How can we solve it ?
 
Environment:
12.52 SP1 CR6 AdminUi on Redhat 6 64bits 
Resolution:
You can upgrade to Siteminder 12.6 or higher as struts has been removed

Engineering does not have any plans to upgrade this jar as it has been removed in higher versions. 

Struts is removed from Third Party Software section in 12.6 SP1 

document. 
https://docops.ca.com/ca-single-sign-on/12-6-01/en/third-party- 

software-acknowledgments/ 

12.7: 
https://docops.ca.com/ca-single-sign-on/12-7/en/third-party- 

software-acknowledgments
Additional Information:
Workaround:

This jar is not used by AdminUI but there is another application in JBoss that we ship called “sitemindermanage” that has this struts.jar in its WEB-INF/lib. 

So, you can take a backup of this file and safely delete the jar if you are not using “sitemindermanage” application 

The "/iam/sitemindermanage" application is not used for Single Sign-On Adminstration. 
It is part of the IAM Framework so it came bundled together but it is not used in Single SIgn-On Administration. 

So, you should have no impact even when you disable that feature. 

If you remove struts jar file, you will end up with an exception as shown below during WAMUI startup. But this will not affect our WAMUI functionality. 

2017-09-14 06:07:34,283 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/iam/sitemindermanage]] (main) Servlet /iam/sitemindermanage threw load() exception 
java.lang.ClassNotFoundException: org.apache.struts.action.ActionServlet 
at java.net.URLClassLoader$1.run(URLClassLoader.java:202) 
at java.security.AccessController.doPrivileged(Native Method) 
at java.net.URLClassLoader.findClass(URLClassLoader.java:190) 
at java.lang.ClassLoader.loadClass(ClassLoader.java:306) 
at java.lang.ClassLoader.loadClass(ClassLoader.java:247) 
at org.jboss.web.tomcat.service.TomcatInjectionContainer.newInstance(TomcatInjectionContainer.java:262) 
at org.jboss.web.tomcat.service.TomcatInjectionContainer.newInstance(TomcatInjectionContainer.java:256) 
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1006) 
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:950) 
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4122) 
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4421) 
at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeployInternal(TomcatDeployment.java:310) 
at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeploy(TomcatDeployment.java:142) 
at org.jboss.web.deployers.AbstractWarDeployment.start(AbstractWarDeployment.java:461) 
at org.jboss.web.deployers.WebModule.startModule(WebModule.java:118) 
at org.jboss.web.deployers.WebModule.start(WebModule.java:97) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 
at java.lang.reflect.Method.invoke(Method.java:597) 
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)