Our security scan shows detection of vulnerability CVE-2024-38816 for Spring Framework (e.g. version 5.3.37) in DX UIM.
How can this be remediated? Recommendation from security team is to upgrade to 5.3.40, is it possible?
DX UIM 23.4.2 and prior
This is a known published security vulnerability. CVE-2024-38819, CVE-2024-38820.
DX UIM is not vulnerable to this exploit.
As a matter of course, we plan to keep these frameworks up-to-date through the usual release process for cumulative updates. We are investigating upgrading the Spring Framework for version 20.4.3 (ETA - 2025).
However, this particular vulnerability only affects applications meeting the following criteria:
- serves webpages over HTTP
- is NOT run on Jetty or Tomcat
In the case of DX UIM, the only application that serves webpages over HTTP which uses the Spring Framework is the wasp probe. The wasp probe is an implementation of Tomcat and is therefore not vulnerable.
All other probes (aside from wasp) do not serve pages over HTTP and so are also not vulnerable.
All versions of Spring Framework 5.x have this security vulnerability.
These vulnerabilities are fixed in spring framework 6.x but it requires Java 17 or above.
As of 2 Dec 2024. All probes that use spring framework 5.x will be upgraded to 6.x and will need to have Java upgraded. Engineering will need to certify both Java and the updated spring frameworks. ETA is Q2 FY25. This may not make it into 23.4.3, it may be in 23.4.3.1.