search cancel

Vulnerability Spring 4.3.30 CVE-2021-22096 / BDSA-2021-3236

book

Article ID: 229930

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

Blackduck scans have reported a new vulnerability: CVE-2021-22096 / BDSA-2021-3236

CVSS score is 4.3 or 4.7 (varies depending on selected issue: BDSA or CVE).

Environment

Release : 10.7.0

Component : Introscope

Resolution

Details from BlackDuck (this vulnerability is currently under review with Black Duck):

Spring Framework Vulnerable to Log File Injection via Insufficient Input Validation

BDSA-2021-3236, CVE-2021-22096

 

Spring Framework is vulnerable to log file injection due to the insufficient validation of user input in an undisclosed component. An attacker could leverage this issue in order to add arbitrary entries to a log file which could impact both the integrity issues and performance issues.

Solution - Fix Available

Fixed in versions 5.3.11 and 5.2.18.

Note5.3.11 was found to contain a major regression, and so users should instead upgrade to 5.3.12.

The latest stable releases can be found here.

No Workaround

Will be fixed into the SP4, no ETA available.