RSA Authentication Manager 8.x
Customer Support has asked whether the RSA Authentication Manager 8.x system is impacted by several vulnerabilities in Apache Struts 2 after reading the announcement of fixes for these issues by the Apache Software Foundation.
The summarized announcements associated with the query are as follows (additional information is available at struts.apache.org):
S2-032
Remote Code Execution can be performed via
method: prefix when Dynamic Method Invocation is enabled.| Impact of vulnerability | Possible Remote Code Execution |
| Affected Software | Struts 2.3.20 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3) |
| CVE Identifier | CVE-2016-3081 |
S2-031
XSLTResult can be used to parse arbitrary stylesheet| Impact of vulnerability | Possible Remote Code Execution |
| Affected Software | Struts 2.0.0 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3) |
| CVE Identifier | CVE-2016-3082 |
S2-029
Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
| Impact of vulnerability | Possible Remote Code Execution vulnerability |
| Affected Software | Struts 2.0.0 - Struts 2.3.24.1 (except 2.3.20.3) |
| CVE Identifier | CVE-2016-0785 |
Information from NVD, Apache and Struts source code.
CVE-2016-3081
Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
CVSS v3 Base Score: 8.1 High
It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled.
Response: The flaw does not exist
Dynamic Method Invocation is a feature of Struts 2. AM does not use an impacted version of Struts.
CVE-2016-0785
Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.
CVSS v3 Base Score: 8.8 High
The Apache Struts frameworks when forced, performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. (Processing in code associated with com.opensymphony.xwork2.ognl.)
Response: The flaw does not exist
The forced evaluation of Struts 2 attributes and OGNL expressions %{} are a feature of Struts 2. AM does not use an impacted version of Struts.
CVE-2016-3082
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.
CVSS v3 Base Score: 9.8 Critical
XSLTResult allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code.
Response: The flaw does not exist
XSLTResult uses XSLT to transform an action object to XML and is a feature of Struts 2. AM does not use an impacted version of Struts.
Related Articles
Spring-related vulnerabilities for RSA Authentication Manager Number of Views Spring-related vulnerabilities for RSA Authentication Manager 8.9 Number of Views Multiple Apache Tomcat Vulnerabilities in RSA Authentication Manager - False Positive Number of Views OpenSSL Heartbeat Vulnerability (Heartbleed) in RSA products Number of Views Bash bug Vulnerability (Shellshock) in RSA products Number of Views
Trending Articles
RSA Release Notes for RSA Authentication Manager 8.8 RSA MFA Agent 2.4.3 for Microsoft Windows Group Policy Object Template Guide RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA MFA Agent 2.4.3 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026)
