As a part of the security scanning process, the below third-party library from the Symantec Directory is reported as vulnerable.

CVE-2018-25031 (org.webjars swagger-ui : 3.24.3)

Location of the file from Symantec Directory installation package for this is reported as - ./cadirectory-binary-14.1.5.tar.gz/dxserver/linux_x86_64/cadxagent141.tar.gz/doc/swagger-ui-bundle.js

Symantec Directory14.1 SP5 and below

Vulnerability

In Directory versions before 14.1, there were DXagent APIs along with MUI APIs.

The swagger-ui files present in $DXHOME/dxagent/doc were used for DXagent APIs.

But now those APIs are deprecated and the users are supposed to use MUI APIs for Dxagent-related APIs also. But the Swagger-UI files are not updated in dxagent/doc folder.

Solution is to manually delete the swagger-ui files form the host as they are nowhere used by Symantec Directory.

Below are the list of files(at $DXHOME/dxagent/doc)

• dxagent-api.html
• favicon-16x16.png
• favicon-32x32.png
• index.html
• oauth2-redirect.html
• swagger-ui.css
• swagger-ui.css.map
• swagger-ui-bundle.js
• swagger-ui-bundle.js.map
• swagger-ui-standalone-preset.js
• swagger-ui-standalone-preset.js.map

A shell script(remove_swagger.sh) is available to delete the swagger-ui files from the installer file.

The following steps are to be followed

• Place the remove_swagger.sh in the directory which contains the installer file
• Give needed permissions to this file
• Line 2 in the .sh file contains the name of the installer file. Make sure it matches with the installer file name that the customer has. (INSTALLER_FILE=<installer_filename>)
• Run the shell script

This should remove the swagger-ui files.

Raise a support ticket for remove_swagger.sh file