CVE-2018-1270 - 'Remote Code Execution with spring-messaging' vulnerability in Risk Authentication REST API component.

In AA 9.1SP2 (aka 9.1.02), Spring libraries version 4.3.4 are used, which makes it vulnerable to CVE-2018-1270.

Please refer to this link for CVE-2018-1270 - https://nvd.nist.gov/vuln/detail/CVE-2018-1270.

Advanced Authentication 9.1 SP2 (aka 9.1.02)

As per 'CVE-2018-1270 - Remote Code Execution with spring-messaging' vulnerability, Spring Framework versions 5.0.x prior to 5.0.5 and versions 4.3.x prior to 4.3.16, and older unsupported versions allow applications to expose STOMP (Streaming Text Oriented Message Protocol) over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

In AA 9.1SP2, Spring libraries version 4.3.4 are used, which makes it vulnerable.

In AA 9.1 SP5 (aka 9.1.05), multiple third-party libraries are updated to address potential security vulnerabilities, including Spring Framework 5.3.29. 

The Advanced Authentication Product Management recommends upgrading AA to the latest version 9.1SP5 to mitigate the security vulnerabilities called by NIST via CVE-2018-1270.

Refer: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/advanced-authentication/9-1/third-party-software-acknowledgments.html