Siteminder AdminUI utilizes the IAM Framework.  The IAM Framework is bundled with Spring Framework.  As a result, the Siteminder AdminUI is shipped with the following versions of the Spring Framework:

r12.8.8.1:   Spring Framework 5.3.18*
r12.8.8:      Spring Framework 5.3.18*
r12.8.7:      Spring Framework 5.3.18*

KB 281692* Delivered Spring Framework 5.3.33 

KB 373972* Delivered Spring Framework 5.3.34

There have been a number of CVE's published addressing vulnerabilities in Spring Framework 5.3.18 and later.

* These KB's have been archived.  This KB (384438) supersedes those KB's.

PRODUCT: Symantec Siteminder

COMPONENT: AdminUI

VERSION: r12.8.7 - 12.8.8.1

OS: Any

Spring Framework 5.3.41 and older are impacted by following CVE's:

CVE-2024-38829: Spring LDAP Spring LDAP sensitive data exposure for case-sensitive comparisons

CVE-2024-38828: DoS via Spring MVC controller method with byte[] parameter

CVE-2024-38819: Path traversal vulnerability in functional web frameworks (2nd report)

CVE-2024-38820: Spring Framework DataBinder Case Sensitive Match Exception

CVE-2024-38816: Path traversal vulnerability in functional web frameworks

CVE-2024-38808: Spring Expression DoS Vulnerability

CVE-2024-38809: Spring Framework DoS via conditional HTTP request

CVE-2024-22262: Spring Framework URL Parsing with Host Validation (3rd report)

CVE-2024-22259: Spring Framework URL Parsing with Host Validation (2nd report)

CVE-2024-22243: Spring Framework URL Parsing with Host Validation

CVE-2023-20863: Spring Expression DoS Vulnerability

CVE-2023-20860: Security Bypass With Un-Prefixed Double Wildcard Pattern

CVE-2023-20861: Spring Expression DoS Vulnerability

CVE-2022-22970: Spring Framework DoS via Data Binding to MultipartFile or Servlet Part

CVE-2022-22971: Spring Framework DoS with STOMP over WebSocket

CVE-2022-22968: Spring Framework Data Binding Rules Vulnerability

The Siteminder AdminUI doesn't use the Spring Framework binaries for any of its functions.  The Spring Framework binaries can be safely removed from the Siteminder AdminUI.

How to Remove Spring Framework 5.3.x from the Siteminder AdminUI

WINDOWS

1.  Stop the AdminUI server

2.  Backup of the following files, then delete the files from this location.

<install_location>\adminui\standalone\deployments\iam_siteminder.ear\library\spring-core-5.3.xx.jar
<install_location>\adminui\standalone\deployments\iam_siteminder.ear\library\spring-tx-5.3.xx.jar
<install_location>\adminui\standalone\deployments\iam_siteminder.ear\library\spring-beans-5.3.xx.jar
<install_location>\adminui\standalone\deployments\iam_siteminder.ear\library\spring-aop-5.3.xx.jar
<install_location>\adminui\standalone\deployments\iam_siteminder.ear\library\spring-expression-5.3.xx.jar
<install_location>\adminui\standalone\deployments\iam_siteminder.ear\library\spring-context-5.3.xx.jar

<install_location>\adminui\standalone\deployments\iam_siteminder.ear\user_console.war\WEB-INF\lib\spring-ldap-core-2.4.1.jar

3.  Delete the following directory:

<Install_Dir>/adminui/standalone/tmp/vfs/

4.  Start the AdminUI server

LINUX

1.  Stop the AdminUI server

2.  Backup of the following files, then delete the files from this location.

<install_location>/adminui/standalone/deployments/iam_siteminder.ear/library/spring-core-5.3.xx.jar
<install_location>/adminui/standalone/deployments/iam_siteminder.ear/library/spring-tx-5.3.xx.jar
<install_location>/adminui/standalone/deployments/iam_siteminder.ear/library/spring-beans-5.3.xx.jar
<install_location>/adminui/standalone/deployments/iam_siteminder.ear/library/spring-aop-5.3.xx.jar
<install_location>/adminui/standalone/deployments/iam_siteminder.ear/library/spring-expression-5.3.xx.jar
<install_location>/adminui/standalone/deployments/iam_siteminder.ear/library/spring-context-5.3.xx.jar

<install_location>/adminui/standalone/deployments/iam_siteminder.ear/user_console.war/WEB-INF/lib/spring-ldap-core-2.4.1.jar

3.  Delete the following directory:

<Install_Dir>/adminui/standalone/tmp/vfs/

4.  Start the AdminUI server

For Spring Framework 4.3.x on r12.8.5 & r12.8.6/a and higher AdminUI, see KB 384446