We have relatively new security findings on CA Introscope App Servers related to the Spring Framework.  What I'd like to understand is if this finding is resolved in a later version (at least version 5.2.20 or greater)?  If not, is there an expected release date of a version that will have this remediated?  Thanks in advance for your assistance, and please let me know if anything else is needed. 

Release : 10.7.0

Component :

So here are your options:

1)APMSQL .

Vulnerable files 

Path : /app/introscope/APMSqlServer/repo/spring-core-5.0.8.RELEASE.jar Installed version : 5.0.8.RELEASE Fixed version : 5.2.20

Path : /app/introscope/hotfix/10.7.0-HF29/APMSqlServer/repo/spring-core-3.2.16.RELEASE.jar Installed version : 3.2.16.RELEASE Fixed version : 5.2.20

Solution:

Follow steps in KB https://knowledge.broadcom.com/external/article?articleId=232353

OR go to 10.8 which completely removes APMSQL.

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/application-performance-management/10-8/ca-apm-release-notes.html

2) APM EM

Vulnerable files

Path : /app/introscope/product/enterprisemanager/configuration/org.eclipse.osgi/bundles/57/1/.cp/WebContent/WEB-INF/lib/spring-core-4.3.22.RELEASE.jar Installed version : 4.3.22.RELEASE Fixed version : 5.2.20

Solution

This will be in a 10.8 HF. No plans to fix this in 10.7. So upgrading to 10.8 and deploying the HF is the most direct way to resolve both issues. Please contact Support to get a HF status .