Is Spectrum tomcat affected by CVE-2021-25122 and CVE-2021-25329 ?

book

Article ID: 209865

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

Is spectrum tomcat affected by CVE-2021-25122 and CVE-2021-25329. Any hotfix for this CVE?

Spectrum version: 10.4.3.0.21

Environment

Release : 20.2

Component : Spectrum Core / SpectroSERVER

Resolution

1. CVE-2021-25122 : This will happen in case of h2c requests, where server supports http2 and makes the cleartext request. But spectrum support http/1.1 and hence NOT affected.

2. CVE-2021-25329 : This can be exploited when a user gets access to a file on the server. Later they can execute the file with scripts/malware on it. This can be a possible concern.

Tomcat sever 9.0.43 tomcat is provided In the next release of Spectrum, and hence these two CVEs are plugged.