Spring Framework, Spring Security, and Spring Boot vulnerabilities for CA Agile Requirements Designer (ARD)
search cancel

Spring Framework, Spring Security, and Spring Boot vulnerabilities for CA Agile Requirements Designer (ARD)

book

Article ID: 265903

calendar_today

Updated On:

Products

CA Agile Requirements Designer

Issue/Introduction

The following vulnerabilities have been reported for CA Agile Requirements Designer:

Environment

Agile Requirements Designer Hub 3.2.5, 3.2.7, 3.3

Resolution

Agile Requirements Designer Studio is not affected by Spring vulnerabilities, and customers who do not use ARD Hub are not impacted.

Agile Requirements Designer Hub is vulnerable to the multiple Spring vulnerabilities. The ARD Hub development team has completed the fixes for the hub at this time.

These fixes contain the below:

  1. This solution fixes the 5 Spring vulnerabilities listed below:
    1. CVE-2023-20862 (BDSA-2023-0873) -- Critical
    2. CVE-2023-20873 (BDSA-2023-0953) -- Critical
    3. CVE-2023-20860 (BDSA-2023-0649) -- High
    4. CVE-2023-20861(BDSA-2023-0638) -- Medium
    5. CVE-2023-20863(BDSA-2023-0847) -- Medium

  2. Version creation from ARD-UI fixed.

NOTE: Fixes are now published to the download section of support


Steps to apply the fix:

  1. Download the artifacts attached in this solution page.
  2. Upgrade from 3.2 / 3.2.7 / 3.3:
    • Extract zipped files based on the environment (docker or manual setups).

Docker setup:

    1. Run ard.sh script.

Manual setup:

    1. Stop the tomcat service.
    2. Remove war files and associated files (having same filename) from <TOMCAT_HOME>/webapps folder.
    3. Copy the contents of <HUB_HOME>/war to <TOMCAT_HOME>/webapps.
    4. Replace war files attached (remo) in the zip to <tomcat_home>/webapps folder.
    5. Start the tomcat service.

Please note, there is no change in keycloak setup.

For other upgrade/fresh installation steps:

Please refer to the Agile Requirements Designer documentation:
https://techdocs.broadcom.com/us/en/ca-enterprise-software/devops/agile-requirements-designer/3-3/installing/install-ard-hub/install-ard-hub-manually.html

This will follow the same steps as 3.3 released artifacts.

Additional Information

For customers that are running the older 3.2.0 release of ARD Hub should upgrade to ARD Hub 3.2.5 or 3.2.7 and apply the provided fix.