Spring Framework Vulnerability CVE-2024-38816 - impact on DX UIM
search cancel

Spring Framework Vulnerability CVE-2024-38816 - impact on DX UIM

book

Article ID: 380172

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

Our security scan shows detection of vulnerability CVE-2024-38816 for Spring Framework (e.g. version 5.3.37) in DX UIM.

How can this be remediated?  Recommendation from security team is to upgrade to 5.3.40, is it possible?

 

Environment

DX UIM 23.4.2 and prior

Cause

This is a known published security vulnerability. CVE-2024-38819, CVE-2024-38820.

Resolution

DX UIM is not vulnerable to this exploit.

As a matter of course, we plan to keep these frameworks up-to-date through the usual release process for cumulative updates.  We are investigating upgrading the Spring Framework for version 20.4.3 (ETA - 2025).

However, this particular vulnerability only affects applications meeting the following criteria:
- serves webpages over HTTP
- is NOT run on Jetty or Tomcat

In the case of DX UIM, the only application that serves webpages over HTTP which uses the Spring Framework is the wasp probe.  The wasp probe is an implementation of Tomcat and is therefore not vulnerable.

All other probes (aside from wasp) do not serve pages over HTTP and so are also not vulnerable.

All versions of Spring Framework 5.x have this security vulnerability.

These vulnerabilities are fixed in spring framework 6.x but it requires Java 17 or above.

As of 2 Dec 2024. All probes that use spring framework 5.x will be upgraded to 6.x and will need to have Java upgraded. Engineering will need to certify both Java and the updated spring frameworks. ETA is Q2 FY25. This may not make it into 23.4.3, it may be in 23.4.3.1.

Additional Information