Third-party software vulnerabilities in Advanced Authentication 9.1SP5
search cancel

Third-party software vulnerabilities in Advanced Authentication 9.1SP5

book

Article ID: 379187

calendar_today

Updated On:

Products

CA Strong Authentication CA Advanced Authentication CA Advanced Authentication - Risk Authentication (RiskMinder / RiskFort) CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort) CA Risk Authentication

Issue/Introduction

When running a vulnerability scan against Advanced Authentication, below Common Vulnerabilities and Exposures (CVE) are reported by NexusIQ vulnerability scanner:

Vulnerability Artifact

sonatype-2024-0946

sonatype-2019-0673

CVE-2024-29857

CVE-2024-30172

CVE-2024-30171

CVE-2023-33201

CVE-2023-33202

 bcprov-jdk15on : 1.69
sonatype-2020-1349 commons-dbcp : 1.3
CVE-2023-6378 logback-classic : 1.3.0-alpha16
CVE-2023-6378 logback-core : 1.3.0-alpha16

CVE-2023-5072

CVE-2022-45688

 json : 20180813

CVE-2022-45693

CVE-2022-40149

CVE-2022-45685

CVE-2022-40150

CVE-2023-1436

 jettison : 1.3.8
CVE-2023-49735 tiles-core : 3.0.8
CVE-2014-0114 commons-beanutils : 1.7.0
sonatype-2022-6438 jackson-core : 2.13.3
CVE-2022-40152 woodstox-core : 6.2.7

sonatype-2020-0926

CVE-2023-2976

 guava : 31.1-jre
sonatype-2017-0348 xercesImpl : 2.12.2
CVE-2012-5783 commons-httpclient : 3.1
CVE-2024-23080 joda-time : 2.2
CVE-2024-23080 joda-time : 2.9.9
CVE-2024-21742 apache-mime4j-core : 0.7.2
sonatype-2017-0492 mail : 1.4

Environment

 Symantec Advanced Authentication 9.1SP5

Resolution

Here is the product team's vulnerability impact analysis:

Vulnerability Artifact Severity Changed Version Remarks

sonatype-2024-0946

sonatype-2019-0673

CVE-2024-29857

CVE-2024-30172

CVE-2024-30171

CVE-2023-33201

CVE-2023-33202

 bcprov-jdk15on : 1.69 Critical 1.78  
sonatype-2020-1349 commons-dbcp : 1.3 High 1.4  

sonatype-2020-0926

CVE-2023-2976

 guava : 31.1-jre High 33.3.0-jre  
CVE-2023-6378 logback-classic : 1.3.0-alpha16 High NA Even latest version(1.5.7) is vulnerable 
CVE-2023-6378 logback-core : 1.3.0-alpha16 High NA Requires JDK Upgrade

CVE-2023-5072

CVE-2022-45688

 json : 20180813 High NA Even latest version(20240303) is vulnerable 

CVE-2022-45693

CVE-2022-40149

CVE-2022-45685

CVE-2022-40150

CVE-2023-1436

 jettison : 1.3.8 High NA Version Not Present in Code
CVE-2023-49735 tiles-core : 3.0.8 High NA No version released after this
CVE-2014-0114 commons-beanutils : 1.7.0 High NA Version Not Present in Code 
sonatype-2022-6438 jackson-core : 2.13.3 Medium NA Medium Severity not considered
CVE-2022-40152 woodstox-core : 6.2.7 High NA Not present in any pom.xml
sonatype-2017-0348 xercesImpl : 2.12.2 High NA No version released after this
CVE-2012-5783 commons-httpclient : 3.1 Medium NA Medium Severity not considered
CVE-2024-23080 joda-time : 2.2 Analysis Not Yet Provided by NVD NA  
CVE-2024-23080 joda-time : 2.9.9 Analysis Not Yet Provided by NVD NA  
CVE-2024-21742 apache-mime4j-core : 0.7.2 Analysis Not Yet Provided by NVD NA  
sonatype-2017-0492 mail : 1.4 Medium NA Medium Severity not considered

 

The Symantec Advanced Authentication product team has released patch 9.1.5.1, which addresses three vulnerabilities (Red), available for download from the support portal.

Powered by Wolken Software