search cancel

Authentication Hub Vulnerability Scan - Release 1.0.3160

book

Article ID: 253964

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

This is about Authentication Hub, release 1.0.3160

Vulnerability scan on this release, shows the following High impact vulnerabilities:

  • CVE-2016-1000027
  • CVE-2022-23307
  • CVE-2019-17571

We need one of: Remediation plan or a proof the product is not impacted by those vulnerabilities.

Environment

Release : October.01.2022

Resolution

CVE-2016-1000027:
Broadcom Mitigation Statement: This vulnerability is for Spring Framework 5.3.16, we are using 5.3.21 which is not vulnerable, However the JXray scan is reporting it since it might have been there in pom.xml, for this we use strictly flag while building the binaries, hence we would only get 5.3.21 in actual component. This is a false positive reported by the scanner.
 
CVE-2022-23307:
Broadcom Mitigation Statement: This is a vulnerability in Log4j 1.2.x, Here is the dependency path for this library, OpenSAML --> ESAPI --> log4J --> Apache Chainsaw. However we specifically use log4j-api:2.17.1 and log4j-core:2.17.1. In addition log4j which is embedded in the OpenSAML-->ESAPI is not enabled by us hence the vulnerability is not exploitable.
 
CVE-2019-17571:
Broadcom Mitigation Statement: This is a vulnerability in Log4j 1.2.x, Here is the dependency path for this library, OpenSAML --> ESAPI --> log4J -->SocketServer. However we specifically use log4j-api:2.17.1 and log4j-core:2.17.1. In addition log4j which is embedded in the OpenSAML-->ESAPI is not enabled by us hence the vulnerability is not exploitable.