The impact of Apache Xalan (CVE- 2022-34169) and Spring Framework (CVE-2016-1000027, CVE-2022-22971, CVE-2022-22970, CVE-2022-22968, CVE-2022-22965) on Service Virtualization
search cancel

The impact of Apache Xalan (CVE- 2022-34169) and Spring Framework (CVE-2016-1000027, CVE-2022-22971, CVE-2022-22970, CVE-2022-22968, CVE-2022-22965) on Service Virtualization

book

Article ID: 259530

calendar_today

Updated On:

Products

Service Virtualization CA Application Test CA Continuous Application Insight (PathFinder)

Issue/Introduction

A patch is available on top of 10.7.2 to address the following vulnerabilities: 

  • Apache Xalan (Java): CVE- 2022-34169 
  • Spring Framework: CVE-2016-1000027, CVE-2022-22971, CVE-2022-22970, CVE-2022-22968, CVE-2022-22965

 

The challenge is that even after a patch is applied some CVE- 2022-34169 and CVE-2016-1000027 vulnerabilities may still appear on the third party scan report.

 

Environment

10.6.x and 10.7.x on-premise installer and images.

Cause

Third party vulnerabilities.

Resolution

For a fix on 10.7.2 on-premise installer, please contact support.  Upcoming fixes are not available on the 10.7.2 images but will be available in the next image release.   

CVE-2022-34169 and CVE-2016-1000027 vulnerabilities may still appear in the third party scan as the component version number has not changed. If the third party tool cannot detect the fixes ported by repackaging the jar, then this should be mitigated directly with the third party scan tool.


CVE-2022-22965 may also appear on third party scan tools.  For more information, see Knowledge Base Article.