search cancel

APM 10.7 - Spring 4.3.30 vulnerability CVE BDSA-2022-0820

book

Article ID: 239191

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

Blackduck scans have defected vulnerability in Spring 4.3.30.

Spring-Framework Vulnerable to Denial-of-Service (DoS) via Crafted SpEL Expression

BDSA-2022-0820 PublishedMar 29, 2022
UpdatedMar 29, 2022
 

How to fix it

Solution - Fix Available

Fixed in version 5.3.17 by this commit.

The latest stable releases can be found here.

No Workaround

Score: 6.5 (medium)
I have not found a CVE record for this yet.
 
Scanned Introscope version: 10.7.0.361.
 
 
 

Environment

Release : 10.7.0

Component : Introscope

Cause

This vulnerability issue is related to defect DE532144

All the security vulnerabilities are fixed in the latest Spring Framework 5.3.18: https://mvnrepository.com/artifact/org.springframework/spring/5.3.18
We will upgrade it to the latest 5.3.18 in  APM 10.8.1 to completely resolve the vulnerabilities.

Resolution

No solution or workaround available at the present time

Additional Information

Powered by Wolken Software