CVE-2022-22950 Spring-core framework vulnerability in Advanced Authentication Admin and UDS
search cancel

CVE-2022-22950 Spring-core framework vulnerability in Advanced Authentication Admin and UDS

book

Article ID: 241923

calendar_today

Updated On:

Products

CA Risk Authentication CA Strong Authentication CA Advanced Authentication

Issue/Introduction

CVE-2022-22950 Spring framework vulnerability in AA Admin and UDS  in a medium priority vulnerability related to AA Admin UI and AA UDS.

Refer to this link for this CVE-2022-22950 --- https://nvd.nist.gov/vuln/detail/CVE-2022-22950

Environment

Release : 9.1

Component : AuthMinder(Arcot WebFort) Strong Authentication

RiskMinder (Arcot RiskFort) Risk Authentication

Cause

In Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL (Spring Expression Language) expression that may cause a denial of service condition.

Resolution

This is medium level vulnerability. In AA 9.1 SP5 (aka 9.1.05), multiple third-party libraries are updated to address potential security vulnerabilities, including Spring Framework 5.3.29. The older unsupported versions of Spring Framework is not used in AA Admin and UDS components (in AA Service Pack 5  - aka SP5). 9.1.05 is already release and can be downloaded from the Support site.

Additional Information

Third-Party Software Acknowledgments: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/advanced-authentication/9-1/third-party-software-acknowledgments.html

Powered by Wolken Software