Our security scan shows detection of vulnerability CVE-2024-38808 for Spring Framework (e.g. version 5.3.37) in DX UIM.
How can this be remediated? Recommendation from security team is to upgrade to 5.3.40, is it possible?
DX UIM - 23.4.2 and prior
In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition.
Specifically, an application is vulnerable when the following is true:
The application evaluates user-supplied SpEL expressions.
DX UIM is not vulnerable to this exploit.
As a matter of course, we plan to keep these frameworks up-to-date through the usual release process for cumulative updates. We are investigating upgrading the Spring Framework for version 20.4.3 (ETA - end of 2024/early 2025).
However, this particular vulnerability only affects applications which evaluate user-supplied SpEL expressions.
DX UIM does not evaluate user-supplied SpEL expressions and is therefore not vulnerable.