Data collector vulnerability

book

Article ID: 193155

calendar_today

Updated On:

Products

CA Infrastructure Management CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

We have CA PM 3.7.3 running in our production environment. Our audit team shared below vulnerability on the Data collector VM:

CVE-2018-1270 

Plugin Name:
Spring Framework 4.3.x < 4.3.16 / 5.0.x < 5.0.5 Remote Code Execution with spring-messaging (CVE-2018-1270)

Plugin Text:
<plugin_output>
  Path              : /app/CA/IMDataCollector/backup/apache-activemq/lib/optional/spring-core-4.3.9.RELEASE.jar
  Installed version : 4.3.9.RELEASE
  Fixed version     : 4.3.16
</plugin_output>

Description:

The remote host contains a Spring Framework library version that is 4.3.x prior to 4.3.16 or 5.0.x prior to 5.0.5. It is, therefore, affected by a remote code execution vulnerability. An unauthenticated, remote attacker can exploit this, by sending a special craft message to the broker that can lead to RCE attack

Solution:
Upgrade to Spring Framework version 4.3.16 or 5.0.5 or later.


Can you please help us in remediating this vulnerability.

Environment

CAPM 3.7

Resolution

You can remove /opt/CA/IMDataCollector/backup/apache-activemq.  The backup/apache-activemq directory is not needed anymore int he current releases.  5.15.8 latest we ship for 3.7.12+ and 20.2 has the 4.3.18 spring-core version