A security scan has reported that the Symantec Siteminder AdminUI is running 'spring-core.jar' version 4.3.4. 

  Path: /opt/CA/smadminui/siteminder/adminui/standalone/tmp/vfs/deployment/deploymenta029f437e224b278/spring-core-4.3.4.RELEASE.jar-99446a6c0c21b351/spring-core-4.3.4.RELEASE.jar
  Installed version : 4.3.4.RELEASE
  Fixed version     : 4.3.16

PRODUCT: Siteminder

COMPONENT:  AdminUI

VERSION: r12.8.5, r12.8.6, r12.8.6a

OS: ANY

Siteminder ships with the following versions of Spring Framework:

r12.8.8:      Spring Framework 5.3.18*
r12.8.7:      Spring Framework 5.3.18*
r12.8.6/6a: Spring Framework 4.3.4
r12.8.5:      Spring Framework 4.3.4

*See KB280281 for SpringFramework 5.3.18 vulnerabilities (Link in Additional Information).

CVE-2022-22950:  Apache Struts 2.0.0 < 2.5.26 Possible Remote Code Execution vulnerability (S2-061) 

Additional CVE's

CVE-2020-5421
CVE-2020-5413
CVE-2018-15756
CVE-2018-1275
CVE-2018-1272
CVE-2018-1271
CVE-2018-1270
CVE-2018-1257
CVE-2018-1199
CVE-2018-11040
CVE-2018-11039
CVE-2016-9878

The SiteMinder AdminUI is not using the flows which invoke the 'Spring-core 4.3.4' library.  
 
Customers can remove the Spring-core.jar from the Siteminder AdminUI in existing GA releases to mitigate this vulnerability .

LINUX

Please follow steps below for the removal of spring-core from  the r12.8.6a (and lower) AdminUI on the Linux operating system.

1.  Stop the AdminUI server

2.  Delete the following file:

<Install_Dir>/CA/siteminder/adminui/standalone/deployments/iam_siteminder.ear/library/spring-core-4.3.4.jar

3.  Delete the following directory:

<Install_Dir>/adminui/standalone/tmp/vfs/

4.  Start the AdminUI server

Spring Framework 5.3.18 vulnerability in Siteminder AdminUI

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Spring%20Framework