We have CA PM 3.7.3 running in our production environment. Our audit team shared below vulnerability on the Data collector VM:
Spring Framework 4.3.x < 4.3.16 / 5.0.x < 5.0.5 Remote Code Execution with spring-messaging (CVE-2018-1270)
Path : /app/CA/IMDataCollector/backup/apache-activemq/lib/optional/spring-core-4.3.9.RELEASE.jar
Installed version : 4.3.9.RELEASE
Fixed version : 4.3.16
The remote host contains a Spring Framework library version that is 4.3.x prior to 4.3.16 or 5.0.x prior to 5.0.5. It is, therefore, affected by a remote code execution vulnerability. An unauthenticated, remote attacker can exploit this, by sending a special craft message to the broker that can lead to RCE attack
Upgrade to Spring Framework version 4.3.16 or 5.0.5 or later.
Can you please help us in remediating this vulnerability.
You can remove /opt/CA/IMDataCollector/backup/apache-activemq. The backup/apache-activemq directory is not needed anymore int he current releases. 5.15.8 latest we ship for 3.7.12+ and 20.2 has the 4.3.18 spring-core version