SiteMinder 12.8 SP7 admin UI: Spring Framework Denial of Service Data Binding Vulnerability 376642,CVE-2022-22970
search cancel

SiteMinder 12.8 SP7 admin UI: Spring Framework Denial of Service Data Binding Vulnerability 376642,CVE-2022-22970

book

Article ID: 273229

calendar_today

Updated On:

Products

SITEMINDER CA BCS Premier for CA Single Sign-On CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Security team reported that R12.8 sp7 admin UI is subject to Spring Framework Denial of Service Data Binding Vulnerability 376642.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22970

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Environment

Release : 12.8.07 

Cause

3rd party library Vulnerability.

Resolution

The siteminder admin ui (user_console) application is not using MultipartFile or javax.servlet.Part binding to a model object hence the vulnerability may not have an impact on Admin UI functionality.

However, Broadcom engineering provided steps to in-place upgrade spring framework binaries to version 5.3.20 for 12.8sp7.

Broadcom engineering would get the latest IAMFramework with the updated Springs framework in the next upcoming release.

The following Spring framework jars are vulnerable in admin ui based on https://cve.report/qid/376642

spring-web-5.3.18.jar
spring-core-5.3.18.jar
spring-tx-5.3.18.jar
spring-beans-5.3.18.jar
spring-aop-5.3.18.jar
spring-expression-5.3.18.jar
spring-context-5.3.18.jar

To fix the reported vulnerabilities, spring framework binaries need to be upgraded to version 5.3.20 based on (https://spring.io/security/cve-2022-22970).

Please follow the steps below to remove vulnerable spring framework jars(5.3.18) and upgrade spring framework jars(5.3.20) in the Admin UI:

1. Stop the AdminUI server

2. Go to the folder : 
Linux OS Location: <install_location>/adminui/standalone/deployments/iam_siteminder.ear/library'  
Windows OS Location: <install_location>\adminui\standalone\deployments\iam_siteminder.ear\library

3. Take the backup of the below files and delete the files from this location
spring-web-5.3.18.jar
spring-core-5.3.18.jar
spring-tx-5.3.18.jar
spring-beans-5.3.18.jar
spring-aop-5.3.18.jar
spring-expression-5.3.18.jar
spring-context-5.3.18.jar

4.Go to the folder '<install location>/adminui/standalone/tmp/'

5.Remove the folder '/vfs/' if it exists

6. Download spring version 5.3.20 files from the below locations

https://mvnrepository.com/artifact/org.springframework/spring-beans/5.3.20
https://mvnrepository.com/artifact/org.springframework/spring-context/5.3.20
https://mvnrepository.com/artifact/org.springframework/spring-core/5.3.20
https://mvnrepository.com/artifact/org.springframework/spring-expression/5.3.20
https://mvnrepository.com/artifact/org.springframework/spring-tx/5.3.20
https://mvnrepository.com/artifact/org.springframework/spring-web/5.3.20
https://mvnrepository.com/artifact/org.springframework/spring-aop/5.3.20

spring-web-5.3.20.jar
spring-core-5.3.20.jar
spring-tx-5.3.20.jar
spring-beans-5.3.20.jar
spring-aop-5.3.20.jar
spring-expression-5.3.20.jar
spring-context-5.3.20.jar

7.Go to the folder : '<install_location>/adminui/standalone/deployments/iam_siteminder.ear/library' and copy the above spring framework jars(5.3.20) in this location

8.Start the Admin UI

Additional Information

DE574064

Spring Framework 4.3.4 vulnerability in Siteminder AdminUI

https://knowledge.broadcom.com/external/article?articleId=226985

Attachments

DE574064_1694188981477.zip get_app
Powered by Wolken Software