Siteminder AdminUI utilizes the IAM Framework. The IAM Framework is bundled with Spring Framework. As a result, the Siteminder AdminUI is shipped with the following versions of the Spring Framework:
r12.8.6a: Spring Framework 4.3.4
r12.8.6: Spring Framework 4.3.4
r12.8.5: Spring Framework 4.3.4
PRODUCT: Symantec Siteminder
COMPONENT: AdminUI
VERSION: r12.8.5 -12.8.6a
OS: Any
Spring Framework 4.3.28 and older are impacted by following CVE's:
CVE-2020-5421: RFD Protection Bypass via jsessionid
CVE-2020-5413: Kryo Configuration Allows Code Execution with Unknown “Serialization Gadgets”
CVE-2018-15756: DoS Attack via Range Requests
CVE-2018-1275: Address partial fix for CVE-2018-1270
CVE-2018-1272: Multipart Content Pollution with Spring Framework
CVE-2018-1271: Directory Traversal with Spring MVC on Windows
CVE-2018-1270: Remote Code Execution with spring-messaging
CVE-2018-1257: ReDoS Attack with spring-messaging
CVE-2018-1199: Security bypass with static resources
CVE-2018-11040: JSONP enabled by default in MappingJackson2JsonView
CVE-2018-11039: Cross Site Tracing (XST) with Spring Framework
CVE-2016-9878 Directory Traversal in the Spring Framework ResourceServlet
The Siteminder AdminUI doesn't use the Spring Framework binaries for any of its functions. The Spring Framework binaries can be safely removed from the Siteminder AdminUI.
How to Remove Spring Framework 4.3.x from the Siteminder AdminUI
WINDOWS
1. Stop the AdminUI server
2. Backup of the following files, then delete the files from this location.
<install_location>\adminui\standalone\deployments\iam_siteminder.ear\library\spring-core-4.3.x.jar
<install_location>\adminui\standalone\deployments\iam_siteminder.ear\library\spring-tx-4.3.xx.jar
<install_location>\adminui\standalone\deployments\iam_siteminder.ear\library\spring-beans-4.3.xx.jar
<install_location>\adminui\standalone\deployments\iam_siteminder.ear\library\spring-aop-4.3.xx.jar
<install_location>\adminui\standalone\deployments\iam_siteminder.ear\library\spring-expression-4.3.xx.jar
<install_location>\adminui\standalone\deployments\iam_siteminder.ear\library\spring-context-4.3.xx.jar
<install_location>\adminui\standalone\deployments\iam_siteminder.ear\user_console.war\WEB-INF\lib\spring-ldap-core-x.x.x.jar
3. Delete the following directory:
<Install_Dir>/adminui/standalone/tmp/vfs/
4. Start the AdminUI server
LINUX
1. Stop the AdminUI server
2. Backup of the following files, then delete the files from this location.
<install_location>/adminui/standalone/deployments/iam_siteminder.ear/library/spring-core-4.3.xx.jar
<install_location>/adminui/standalone/deployments/iam_siteminder.ear/library/spring-tx-4.3.xx.jar
<install_location>/adminui/standalone/deployments/iam_siteminder.ear/library/spring-beans-4.3.xx.jar
<install_location>/adminui/standalone/deployments/iam_siteminder.ear/library/spring-aop-4.3.xx.jar
<install_location>/adminui/standalone/deployments/iam_siteminder.ear/library/spring-expression-4.3.xx.jar
<install_location>/adminui/standalone/deployments/iam_siteminder.ear/library/spring-context-4.3.xx.jar
<install_location>/adminui/standalone/deployments/iam_siteminder.ear/user_console.war/WEB-INF/lib/spring-ldap-core-x.x.x.jar
3. Delete the following directory:
<Install_Dir>/adminui/standalone/tmp/vfs/
4. Start the AdminUI server
For Spring Framework 5.3.x on r12.8.7 and higher AdminUI, see KB 384438