Multiple DevTest Vulnerabilities
search cancel

Multiple DevTest Vulnerabilities

book

Article ID: 253646

calendar_today

Updated On:

Products

Service Virtualization

Issue/Introduction

We are using Service Virtualization and had a Scan from Client side. We got the below Vulnerabilities. Without fixing this Application related vulnerabilities we won't be able to use Service Virtualization. Please find the details below.

QID Title Type Severity Port Protocol CVE ID CVSS3 Base
376506 Spring Framework Remote Code Execution (RCE) Vulnerability (Spring4Shell) Vuln HIGH      CVE-2022-22965 9.8 HIGH | 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
376564 Oracle Java Standard Edition (SE) ECDSA Vulnerability Vuln HIGH      CVE-2022-21449 7.5 HIGH | 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
376187 Apache Log4j 1.2 Remote Code Execution Vulnerability Vuln HIGH      CVE-2021-4104 7.5 HIGH | 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
376642 Spring Framework Denial of Service (DoS) Data Binding Vulnerability Vuln MEDIUM      CVE-2022-22970, CVE-2022-22971 6.5 MEDIUM | 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
376546 Oracle Java Standard Edition (SE) Critical Patch Update - April 2022 (CPUAPR2022) Vuln HIGH      CVE-2022-0778, CVE-2022-21476, CVE-2022-21426, CVE-2022-21496, CVE-2022-21434, CVE-2022-21443 7.5 HIGH | 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
376533 Spring Framework Denial of Service (DoS) Vulnerability Vuln MEDIUM      CVE-2022-22950 6.5 MEDIUM | 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
13162 Session Cookie Does Not Contain the "Secure" Attribute Vuln MEDIUM  1505 tcp   6.5 MEDIUM | 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
11827 HTTP Security Header Not Detected Vuln MEDIUM  51112 tcp   5.3 MEDIUM | 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
376244 H2 Database Console Remote Code Execution (RCE) Vulnerability (CVE-2021-42392) Practice HIGH      CVE-2021-42392 9.8 HIGH | 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Environment

Release : 10.7.x

Cause

Vulnerabilities

Resolution

Refer to "BROACOM COMMENTS" section below:

QID Title Type Severity Port Protocol CVE ID CVSS3 Base Broadcom Comments
376506 Spring Framework Remote Code Execution (RCE) Vulnerability (Spring4Shell) Vuln HIGH      CVE-2022-22965 9.8 HIGH | 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

DevTest NOT impacted:
https://knowledge.broadcom.com/external/article?articleId=238439

 
376564 Oracle Java Standard Edition (SE) ECDSA Vulnerability Vuln HIGH      CVE-2022-21449 7.5 HIGH | 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

DevTest NOT impacted:
https://knowledge.broadcom.com/external/article?articleId=253547

 
376187 Apache Log4j 1.2 Remote Code Execution Vulnerability Vuln HIGH      CVE-2021-4104 7.5 HIGH | 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Partial impact. Mitigation provided below:
https://knowledge.broadcom.com/external/article?articleId=231043

 
376642 Spring Framework Denial of Service (DoS) Data Binding Vulnerability Vuln MEDIUM      CVE-2022-22970, CVE-2022-22971 6.5 MEDIUM | 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Analyzed as MEDIUM Vulnerability. The fix will be provided on top of DevTest 10.7.2. Approximate ETA is 31 Jan 2022.

https://knowledge.broadcom.com/external/article?articleNumber=259530

 
376546 Oracle Java Standard Edition (SE) Critical Patch Update - April 2022 (CPUAPR2022) Vuln HIGH      CVE-2022-0778, CVE-2022-21476, CVE-2022-21426, CVE-2022-21496, CVE-2022-21434, CVE-2022-21443 7.5 HIGH | 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 1: CVE-2022-0778 https://nvd.nist.gov/vuln/detail/CVE-2022-0778

          This issue affects OpenSSL, which is not part of DevTest, so we are not affected with it.

2: CVE-2022-21476 https://nvd.nist.gov/vuln/detail/CVE-2022-21476

We are not vulnerable as DevTest 10.7 available with AdoptOpenJdk-1.8.0_232-b09
This affects:
cpe:2.3:a:oracle:jdk:8.0:update_321:*:*:*:*:*:*

 3: CVE-2022-21426 https://nvd.nist.gov/vuln/detail/CVE-2022-21426
           This vulnerability affects Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; 
            As DevTest usages AdoptOpenJdk-1.8.0_232-b09, so it does not affect.

 4: CVE-2022-21496 https://nvd.nist.gov/vuln/detail/CVE-2022-21496
          This vulnerability affects Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; 
            As DevTest usages AdoptOpenJdk-1.8.0_232-b09, so it does not affect.

 5: CVE-2022-21434 https://nvd.nist.gov/vuln/detail/CVE-2022-21434
   This vulnerability affects Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18;
            As DevTest usages AdoptOpenJdk-1.8.0_232-b09, so it does not affect.

 6: CVE-2022-21443 https://nvd.nist.gov/vuln/detail/CVE-2022-21443
            This vulnerability affects Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18;
            As DevTest usages AdoptOpenJdk-1.8.0_232-b09, so it does not affect.
376533 Spring Framework Denial of Service (DoS) Vulnerability Vuln MEDIUM      CVE-2022-22950 6.5 MEDIUM | 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Analyzed as MEDIUM Vulnerability. The fix will be provided on top of DevTest 10.7.2. Approximate ETA is 31 Jan 2022.

https://knowledge.broadcom.com/external/article?articleNumber=246681

 
13162 Session Cookie Does Not Contain the "Secure" Attribute Vuln MEDIUM  1505 tcp   6.5 MEDIUM | 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) Patch available. 10.6.0 only
11827 HTTP Security Header Not Detected Vuln MEDIUM  51112 tcp   5.3 MEDIUM | 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) Fix available. 10.6.0 only.
376244 H2 Database Console Remote Code Execution (RCE) Vulnerability (CVE-2021-42392) Practice HIGH      CVE-2021-42392 9.8 HIGH | 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

https://knowledge.broadcom.com/external/article?articleId=241308

10.6.0 only
Powered by Wolken Software