Spring Framework Vulnerability CVE-2024-38808 - impact on DX UIM
search cancel

Spring Framework Vulnerability CVE-2024-38808 - impact on DX UIM

book

Article ID: 380174

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

Our security scan shows detection of vulnerability CVE-2024-38808 for Spring Framework (e.g. version 5.3.37) in DX UIM.

How can this be remediated?  Recommendation from security team is to upgrade to 5.3.40, is it possible?

Environment

DX UIM - 23.4.2 and prior

Cause

In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition.

Specifically, an application is vulnerable when the following is true:

The application evaluates user-supplied SpEL expressions.

Resolution

DX UIM is not vulnerable to this exploit.

As a matter of course, we plan to keep these frameworks up-to-date through the usual release process for cumulative updates.  We are investigating upgrading the Spring Framework for version 20.4.3 (ETA - end of 2024/early 2025).

However, this particular vulnerability only affects applications which evaluate user-supplied SpEL expressions.

DX UIM does not evaluate user-supplied SpEL expressions and is therefore not vulnerable.

Additional Information