The following security finding was found on the systems that are running APM:
Spring Framework 4.3.x < 4.3.16 / 5.0.x < 5.0.5 Remote Code Execution with spring-messaging (CVE-2018-1270)
The remote host contains a Spring Framework library version that is 4.3.x prior to 4.3.16 or 5.0.x prior to 5.0.5. It is, therefore, affected by a remote code execution vulnerability.
An unauthenticated, remote attacker can exploit this, by sending a special craft message to the broker that can lead to RCE attack.
Release : 10.5
Component : APM Agents
Per engineering, CVEs 1270,1271 and 1272 are reported against Spring Framework up to 4.2.9, 4.3.15 and up to 5.0.5. And we use Spring in Shibboleth, AppMap EM, CEM, ACC, APMSqlServer and AppMap EM (Team Center) -
Per engineering, fixes are created for APM 10.7 and added to APM 10.7 SP3 and later. Therefore, please upgrade to 10.7.0.45 (GA) and then SP3 or later.
There are other security vulnerabilities fixed Hotfixes and are added to 10.7.0 SP3 reported by Code Insight/Black Duck tools and other security vulnerabilities.