On September 5th, 2017, the Apache team published a security bulletin for Apache Struts 2. It describes a vulnerability caused by the REST plugin using an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads.
To-date, the BMC Application Security team has scanned all of our products and discovered only one product that uses Struts 2. Service Level Management (SLM) implements Struts 2, but does not use the vulnerable REST plugin. Though SLM does not use the impacted jar, customers can remove the Struts REST plugin on their own. SLM SP4 will include a patched version of Struts 2, but in the meantime workaround details can be found in Apache's security bulletin.
Security is our top priority and we are committed to staying on top of vulnerability management and threat intelligence.
Please subscribe to this blog post to be notified of updates. If you have any questions please leave them in the comments below or email us at AppSec@bmc.com.