There is a classloader manipulation vulnerability in the Apache Struts 1 that is used by IBM WebSphere Application Server. IBM Security Key Lifecycle Manager is not affected by this vulnerability.
None
IBM WebSphere Application Server has deprecated this feature starting WebSphere Application Server v7.0.
<https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/rmig_depfeat.html>
Security Bulletin released by WebSphere Application Server : <http://www-01.ibm.com/support/docview.wss?uid=swg21672316>
clearly states "If your Java Web Application is using Apache Struts version 1.x that is available in WebSphere Application Server’s optional libraries, you also may be vulnerable. " IBM Security Key Lifecycle Manager does not use it and is not affected by this.
Important! IBM is planning on removing and no longer shipping all 4 versions of Struts Version 1.x from the optional Libraries starting in WebSphere Application Server 7.0.0.43, 8.0.0.13, 8.5.5.11 and 9.0.0.1.