VIP Authentication Hub Security Scan detected high vulnerabilities
Article ID: 252783
Updated On:
Products
VIP Authentication Hub
Issue/Introduction
Security scan of the product detected high severity vulnerabilities e.g.
CVE-2016-1000027
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data.
CVE-2022-25857
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
CVE-2022-40156
Those using Xstream to serialize XML data may be vulnerable to Denial of Service attacks (DOS).
Environment
Product: VIP Authentication Hub, Version: 1.0.2937
Resolution
CVE-2016-1000027
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data.
Mitigation statement: This vulnerability is mitigated in the October.01 (M9)release.
CVE-2022-25857
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing the nested depth limitation for collections.
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data.
Mitigation statement: This vulnerability is mitigated in the October.01 (M9)release.
CVE-2022-25857
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing the nested depth limitation for collections.
Mitigation statement: This vulnerability is present in one of the dependent library in Data initializer service, However, This service is run in the cluster only once when installing and updating the SSP services .In addition, we are not taking the YAML as user input for this service So the exploitability of this vulnerability does not exist.
CVE-2022-40156,CVE-2022-40155,
Those using Xstream to serialize XML data may be vulnerable to Denial of Service attacks (DOS).
Mitigation statement: These vulnerabilities are all related to the XStream library and are exploited when the XML parsing happens. But In our case there are no user driven XML inputs, that's why the exploitation is not possible.
Feedback
Yes
No
Powered by
