search cancel

VIP Authentication Hub Security Scan detected high vulnerabilities

book

Article ID: 252783

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

Security scan of the product detected high severity vulnerabilities e.g.


CVE-2016-1000027
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data.

CVE-2022-25857
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

CVE-2022-40156
Those using Xstream to serialize XML data may be vulnerable to Denial of Service attacks (DOS).

Environment

Product: VIP Authentication Hub, Version: 1.0.2937

Resolution

CVE-2016-1000027
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data.
Mitigation statement: This vulnerability is mitigated in the October.01 (M9)release.

CVE-2022-25857
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing the nested depth limitation for collections.

Mitigation statement: This vulnerability is present in one of the dependent library in Data initializer service, However, This service is run in the cluster only once when installing and updating the SSP services .In addition, we are not taking the YAML as user input for this service So the exploitability of this vulnerability does not exist.

CVE-2022-40156,CVE-2022-40155,CVE-2022-40154,CVE-2022-40153,CVE-2022-40152,CVE-2022-40151
Those using Xstream to serialize XML data may be vulnerable to Denial of Service attacks (DOS).
 
Mitigation statement: These vulnerabilities are all related to the XStream library and are exploited when the XML parsing happens. But In our case there are no user driven XML inputs, that's why the exploitation is not possible.