On March 7th, 2017 the Apache team published a security bulletin for Apache Struts 2. It describes a possible remote code execution vulnerability when performing file upload based on Jakarta Multipart parser.
The BMC Application Security is investigating whether any BMC products are impacted by this vulnerability.
The table below will be updated periodically to reflect our findings. Please subscribe to this blog post to be notified of updates.
BMC Products that do NOT include Struts 2
BMC Products that include Struts 2
BMC Atrium Orchestrator (BAO)
BMC Service Level Management (SLM): The SLM Collector Admin UI uses Struts2, however it does not use File Upload based on Jakarta Multipart Parser and is therefore not vulnerable to CVE-2017-5638