search cancel

Multiple CVE vulnerabilities found in scan of Spectrum OneClick.

book

Article ID: 242787

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

Our latest internal PCI monthly vulnerabilities were released and indicated that the version of Java that Spectrum is using has the following vulnerabilities:

CVE-2022-21305, CVE-2022-21349, CVE-2022-21366, CVE-2022-21248, CVE-2022-21291, CVE-2022-21341, CVE-2022-21296, CVE-2022-21340, CVE-2022-21277, CVE-2022-21299, CVE-2022-21365, CVE-2022-21271, CVE-2022-21282, CVE-2022-21293, CVE-2022-21283, CVE-2022-21294, CVE-2022-21360

Does Broadcom have a path to just update the java version without having to upgrade the entire version of spectrum? Do the newer versions of Spectrum even have an updated version of Java (if so, what is the version)?

Environment

Release : 21.2

Component : Spectrum OneClick

Resolution

Here is the list of Vulnerabilities and the affected Java versions for each :

CVE-2022-21305    -    Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01.

CVE-2022-21349    -    Supported versions that are affected are Oracle Java SE: 7u321, 8u311.

CVE-2022-21366    -    Supported versions that are affected are Oracle Java SE: 11.0.13, 17.01

CVE-2022-21248    -    Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01

CVE-2022-21291    -    Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01

CVE-2022-21341    -    Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01

CVE-2022-21296    -    Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01

CVE-2022-21340    -    Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01

CVE-2022-21277    -    Supported versions that are affected are Oracle Java SE: 11.0.13, 17.01

CVE-2022-21299    -    Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01

CVE-2022-21365    -    Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01

CVE-2022-21271    -    Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13

CVE-2022-21282    -    Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01

CVE-2022-21293    -    Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01

CVE-2022-21283    -    Supported versions that are affected are Oracle Java SE: 11.0.13, 17.01

CVE-2022-21294    -    Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01

CVE-2022-21360    -    Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01

Spectrum 21.2.6 and 21.2.8 are running Java-8u312 and none of the above vulnerability reports Java-8u312. 

Additional Information

Spectrum 21.2.12 we will be upgrading Java version to 8u332 when released.