A security scan has reported that the Symantec Siteminder AdminUI is running 'spring-core.jar' version 4.3.4.
Path: /opt/CA/smadminui/siteminder/adminui/standalone/tmp/vfs/deployment/deploymenta029f437e224b278/spring-core-4.3.4.RELEASE.jar-99446a6c0c21b351/spring-core-4.3.4.RELEASE.jar
Installed version : 4.3.4.RELEASE
Fixed version : 4.3.16
PRODUCT: Siteminder
COMPONENT: AdminUI
VERSION: r12.8.5, r12.8.6, r12.8.6a
OS: ANY
Siteminder ships with the following versions of Spring Framework:
r12.8.8: Spring Framework 5.3.18*
r12.8.7: Spring Framework 5.3.18*
r12.8.6/6a: Spring Framework 4.3.4
r12.8.5: Spring Framework 4.3.4
*See KB280281 for SpringFramework 5.3.18 vulnerabilities (Link in Additional Information).
CVE-2022-22950: Apache Struts 2.0.0 < 2.5.26 Possible Remote Code Execution vulnerability (S2-061)
Additional CVE's
CVE-2020-5421
CVE-2020-5413
CVE-2018-15756
CVE-2018-1275
CVE-2018-1272
CVE-2018-1271
CVE-2018-1270
CVE-2018-1257
CVE-2018-1199
CVE-2018-11040
CVE-2018-11039
CVE-2016-9878
The SiteMinder AdminUI is not using the flows which invoke the 'Spring-core 4.3.4' library.
Customers can remove the Spring-core.jar from the Siteminder AdminUI in existing GA releases to mitigate this vulnerability .
Steps to remove the spring-core 4.3.4 jar from the Siteminder r12.8.6a (and lower) AdminUI
WINDOWS
Please follow steps below for the removal of spring-core from the r12.8.6a (and lower) AdminUI on the Windows Server operating system.
1. Stop the AdminUI server
2. Delete the following file:
<Install_Dir>\adminui\standalone\deployments\iam_siteminder.ear\user_console.war\WEB-INF\lib\spring-core-4.3.4.jar
3. Delete the following directory:
<Install_Dir>/adminui/standalone/tmp/vfs/
4. Start the AdminUI server
LINUX
Please follow steps below for the removal of spring-core from the r12.8.6a (and lower) AdminUI on the Linux operating system.
1. Stop the AdminUI server
2. Delete the following file:
<Install_Dir>/CA/siteminder/adminui/standalone/deployments/iam_siteminder.ear/library/spring-core-4.3.4.jar
3. Delete the following directory:
<Install_Dir>/adminui/standalone/tmp/vfs/
4. Start the AdminUI server