A penetration test has flagged the Spring framework library 4.3.4 version which ships with CA Identity Manager (Symantec IGA) as having a Remote Code Execution vulnerability, CVE-2018-1270. https://nvd.nist.gov/vuln/detail/CVE-2018-1270
Is there a patch or fix available for this?
Release : 14.3
Component : Identity Manager
IM Engineering has assessed this vulnerability and supplied the following feedback:
CA Identity Manager (IM) does not currently support a newer version of spring, however, the IM is not impacted by this vulnerability.
CVE-2018-1270 is a reference of the STOMP service which is exposed in the spring-message module which we do not ship.
As per our analysis and the links below, IM is not impacted by this vulnerability as we do not ship the spring-message module.
https://access.redhat.com/security/cve/CVE-2018-1270
https://www.sourceclear.com/vulnerability-database/security/remote-code-execution-rce/java/sid-6069