Vulnerabilities on spring-core-5.3.37.jar
search cancel

Vulnerabilities on spring-core-5.3.37.jar

book

Article ID: 383198

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Below is a jar that got flagged as bad from our security team. When will an update be available for this?

[JVPR-6081] Spring Framework < 5.3.41 / 6.0.x < 6.0.25 / 6.1.x < 6.1.14 Multiple Vulnerabilities 

Plugin Output: 
  Path              : /opt/SecureSpan/Gateway/runtime/lib/spring-core-5.3.37.jar
  Installed version : 5.3.37
  Fixed version     : 5.3.41

  Path              : /opt/SecureSpan/Controller/lib/spring-core-5.3.37.jar
  Installed version : 5.3.37
  Fixed version     : 5.3.41

The correlating CVEs are CVE-2024-38819 and CVE-2024-38820.

Environment

API Gateway 11.x

Resolution

The gateway is not vulnerable to these CVEs:

CVE-2024-38819: The web frameworks WebMvc.fn or WebFlux.fn are vulnerable, while Gateway is not vulnerable because we do not use web frameworks.

CVE-2024-38820: This is a low-scored CVE flagged from DataBinder functionality, and again, Gateway is not vulnerable.

Additional Information

Spring framework 5.3.x was EoL by August 2024 but Broadcom has a commercial license so we will get updates.

There is a plan to upgrade Spring core to 6.x in 11.1 with ETA of December 2025.

Powered by Wolken Software