Agile Requirements Designer Studio is not affected by Spring vulnerabilities, and customers who do not use ARD Hub are not impacted.

Agile Requirements Designer Hub is vulnerable to the multiple Spring vulnerabilities. The ARD Hub development team has completed the fixes for the hub at this time.

These fixes contain the below:

1. This solution fixes the 5 Spring vulnerabilities listed below:
   
   1. CVE-2023-20862 (BDSA-2023-0873) -- Critical
   2. CVE-2023-20873 (BDSA-2023-0953) -- Critical
   3. CVE-2023-20860 (BDSA-2023-0649) -- High
   4. CVE-2023-20861(BDSA-2023-0638) -- Medium
   5. CVE-2023-20863(BDSA-2023-0847) -- Medium
      
      
2. Version creation from ARD-UI fixed.

NOTE: Fixes are now published to the download section of support


Steps to apply the fix:

1. Download the artifacts attached in this solution page.
2. Upgrade from 3.2 / 3.2.7 / 3.3:
   • Extract zipped files based on the environment (docker or manual setups).

Docker setup:

1. 1. Run ard.sh script.

Manual setup:

1. 1. Stop the tomcat service.
   2. Remove war files and associated files (having same filename) from <TOMCAT_HOME>/webapps folder.
   3. Copy the contents of <HUB_HOME>/war to <TOMCAT_HOME>/webapps.
   4. Replace war files attached (remo) in the zip to <tomcat_home>/webapps folder.
   5. Start the tomcat service.

Please note, there is no change in keycloak setup.

For other upgrade/fresh installation steps:

Please refer to the Agile Requirements Designer documentation:
https://techdocs.broadcom.com/us/en/ca-enterprise-software/devops/agile-requirements-designer/3-3/installing/install-ard-hub/install-ard-hub-manually.html

This will follow the same steps as 3.3 released artifacts.