Is NAM vulnerable to the Jakarta Struts CVE-2017-5638

Document ID:7018703
Creation Date:10-Mar-2017
Modified Date:05-Apr-2017
- Micro Focus Products:
  Access Manager (NAM)

Environment

NetIQ Access Manager 4.3

NetIQ Access Manager 4.2

Situation

NAM 4.3 setup and working well. With most components being tomcat based applications eg. IDP, ESP and Admin Console, is NAM vulnerable to the newly released Apache struts CVE-2017-5638 defined at http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/?

This particular vulnerability can be exploited if the attacker sends a crafted request to upload a file to a vulnerable server that uses a Jakarta-based plugin to process the upload request.

Resolution

No. None of the NAM components use this interface (also applies to older versions of NAM).