APM 10.7 - Spring 4.3.30 vulnerability CVE BDSA-2022-0820

ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

APM 10.7 - Spring 4.3.30 vulnerability CVE BDSA-2022-0820

book

Article ID: 239191

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

Blackduck scans have defected vulnerability in Spring 4.3.30.

Spring-Framework Vulnerable to Denial-of-Service (DoS) via Crafted SpEL Expression

BDSA-2022-0820 PublishedMar 29, 2022

UpdatedMar 29, 2022

How to fix it

Solution - Fix Available

Fixed in version 5.3.17 by this commit.

The latest stable releases can be found here.

No Workaround

Score: 6.5 (medium)

I have not found a CVE record for this yet.

Scanned Introscope version: 10.7.0.361.

Cause

This vulnerability issue is related to defect DE532144

All the security vulnerabilities are fixed in the latest Spring Framework 5.3.18: https://mvnrepository.com/artifact/org.springframework/spring/5.3.18
We will upgrade it to the latest 5.3.18 in APM 10.8.1 to completely resolve the vulnerabilities.

Environment

Release : 10.7.0

Component : Introscope

Resolution

No solution or workaround available at the present time

Additional Information

APM 10.7 Security Vulnerabilities that are False Positive

Feedback

thumb_up Yes

thumb_down No