Our security team hit us for the following vulnerability.
I upgraded CAPM to 22.2 and they found this vulnerability.
/opt/IMDataAggregator/broker/apache-activemq-5.16.4/lib/optional/spring-core-4.3.30.RELEASE.jar
Release : 22.2.1 and older
Component : DX NetOps Performance Management Vulnerabilities
We are currently embedding activemq-5.16.x which contains a vulnerable version of spring.
Broadcom will embed activemq-5.17.x in a future build.
This will include spring 5.3.20+
the tentative target is to include activemq-5.17.2 in Performance Management 22.2.3 (as of sep 26, 2022)
this is subject to change.
This vulnerability affects data aggregator (DA) and data collectors (DC)
This vulnerability only affects the AMQ process.
DA/DC karaf already uses spring 5.3.20.