Apache vulnerability for Spectrum

Article Id: 195844

Status: Published

Updated On: 24-07-2020 07:27

Products:

CA Spectrum , CA eHealth

Issue/Introduction:

CVE-2020-9484

CVE-2019-10072

CVE-2019-0199

CVE-2020-9484

CVE-2020-11996

The above CVE's are showing up in scans as vulnerable on Spectrum 10.4.0 and 10.4.1

Environment:

Release : 10.4

Component : Spectrum Core / SpectroSERVER

Resolution:

CVE-2020-9484- Spectrum does not use Persistent Manager and therefore we are not vulnerable.

CVE-2019-10072, CVE-2019-0199 - We are vulnerable and fixed in 10.4.2

CVE-2020-9484 - Not vulnerable

CVE-2020-11996 - Vulnerable but fixed in 10.5.0 where we will upgrade to Tomcat 9.0.37+

So our suggestion would be to upgrade to 10.4.2 at the moment to address the first 2. The 3rd is a non-issue and the 4th will be resolved in the future.

10.5.0 has a tentative release date of end of year 2020.