Share This:

Last updated: April 4th, 2017 2:25pm (PDT)


On March 7th, 2017 the Apache team published a security bulletin for Apache Struts 2. It describes a possible remote code execution vulnerability when performing file upload based on Jakarta Multipart parser.


The BMC Application Security is investigating whether any BMC products are impacted by this vulnerability.


The table below will be updated periodically to reflect our findings. Please subscribe to this blog post to be notified of updates.


BMC Products that do NOT include Struts 2BMC Products that include Struts 2
BMC Atrium Orchestrator (BAO)BMC Service Level Management (SLM):
The SLM Collector Admin UI uses Struts2, however it does not use File Upload based on Jakarta Multipart Parser and is therefore not vulnerable to CVE-2017-5638
BMC Client Management (BCM formerly Footprints Asset Core)
BMC Cloud Lifecycle Management (CLM)
BMC Control-D
BMC Control-M
BMC Database Automation (BDA and BDSDA)
BMC Decision Support for Server Automation (BDSSA)
BMC Discovery (formerly ADDM)
BMC Impact Manager
BMC Innovation Suite
BMC Network Automation (BNA and BDSNA)
BMC Pathway Policy Service
BMC Real End User Experience Monitoring (Real EUEM)
BMC Release Lifecycle Management (RLM including RPD and RPM)
BMC Remedy IT Service Management Suite (ITSM)
BMC Remedy Mid-Tier
BMC Remedy Platform
BMC Server Automation (BSA)
BMC Service Request Management (SRM)
BMC TrueSight App Visibility Manager
BMC TrueSight Capacity Optimization (TSCO)
BMC TrueSight Infrastructure Management (TSIM including BPPM)
BMC TrueSight Infrastructure Management (TSIM) - PATROL Agent
BMC TrueSight Infrastructure Management (TSIM) - PATROL Repository
BMC TrueSight Intelligence
BMC TrueSight IT Data Analytics (ITDA)
BMC TrueSight Middleware Administrator (TSMA)
BMC TrueSight Middleware Transaction Monitor (TMTM)
BMC TrueSight Presentation Server (TSPS)
BMC TrueSight Pulse

BMC TrueSight Synthetic Monitor