Java 'Runtime Framework' vulnerability
search cancel

Java 'Runtime Framework' vulnerability

book

Article ID: 270971

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

Our security scan found a vulnerability on one of our servers.
After some research it turned out that this is caused by 'Runtime Framework' which is imbedded in Java.
Java (and Runtime Framework) is included when installing CA Identity Suite.

-Is there a CA Identity Suite update that updates everything at once? (CA, Java, Runtime Framework)
-Or perhaps upgrade Spring Frameworkas to version 5.3.18 or later. Do you have experience with this?

Because if I only update Java, the vulnerability will come back in a few months. Previous Java update: version 8, build 261. Most recent Java update: version 8, build 301.  

Vulnerabilities:
CVSSv1: 9.8 CVE-2016-1000027,
CVSSv1: 9.8 CVE-2018-1275,
CVSSv1: 9.8 CVE-2018-1270,
CVSSv1: 9.6 CVE-2015-5211,
CVSSv1: 8.8 CVE-2014-0225.

 

Environment

Release : 14.4

Resolution

In 14.4 CP2 we use 5.3.18 versions of jar's which fix issue with the spring framework for CVE's:

CVSSv1: 9.8 CVE-2016-1000027,
CVSSv1: 9.8 CVE-2018-1275,
CVSSv1: 9.8 CVE-2018-1270,
CVSSv1: 9.6 CVE-2015-5211,
CVSSv1: 8.8 CVE-2014-0225.

Powered by Wolken Software