APM 10.5 Security Finding with Spring Framework

book

Article ID: 143106

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE DX Application Performance Management

Issue/Introduction

The following security finding was found on the systems that are running APM:

Spring Framework 4.3.x < 4.3.16 / 5.0.x < 5.0.5 Remote Code Execution with spring-messaging (CVE-2018-1270)

The remote host contains a Spring Framework library version that is 4.3.x prior to 4.3.16 or 5.0.x prior to 5.0.5. It is, therefore, affected by a remote code execution vulnerability.

An unauthenticated, remote attacker can exploit this, by sending a special craft message to the broker that can lead to RCE attack.

Cause

Per engineering, CVEs 1270,1271 and 1272 are reported against Spring Framework up to 4.2.9, 4.3.15 and up to 5.0.5. And we use Spring in Shibboleth, AppMap EM, CEM, ACC, APMSqlServer and AppMap EM (Team Center) -  

Environment

Release : 10.5

Component : APM Agents

Resolution

Per engineering, fixes are created for APM 10.7 and added to APM 10.7 SP3 and later.  Therefore, please upgrade to 10.7.0.45 (GA) and then SP3 or later.

There are other security vulnerabilities fixed Hotfixes and are added to 10.7.0 SP3 reported by Code Insight/Black Duck tools and other security vulnerabilities.