Question: Question about the following CVEs. ･ CVE-2018-1270 (vulnerability in Spring Framework) ･ CVE-2018-1271 (Directory Traversal with Spring MVC on Windows) ･ CVE-2018-1272 (Multipart Content Pollution with Spring Framework) ･ CVE-2018-1273 ( RCE with Spring Data Commons) ･ CVE-2018-1274 (Denial of Service with Spring Data) ･ CVE-2018-1258 (Unauthorized Access with Spring Security Method Security) ･ CVE-2018-1259 ( XXE with Spring Data’s XMLBeam integration) ･ CVE-2018-1260 ( Remote Code Execution with spring-security-oauth2) ･ CVE-2018-1263 ( Unsafe Unzip with spring-integration-zip) Does API Portal take the influence of the security vulnerability? If so, does the CA provide that FIX?
Release: Component: APIPRD
･ CVE-2018-1270 : API Portal 3.x does not use Spring Messaging so it is not vulnerable. ･ CVE-2018-1271 : It is only an issue on Windows. Also Spring MVC is not used by the Portal 3.x ･ CVE-2018-1272 : multipart functionality of Spring is not used by the Portal 3.x ･ CVE-2018-1273 : Spring Data REST backed HTTP resources are not implemented on the Portal. Therefore, Portal 3.x are not vulnerable. ･ CVE-2018-1274 : Spring Data REST endpoints are not used by the Portal 3.x ･ CVE-2018-1258: Portal does not use Spring Security module. ･ CVE-2018-1259: Portal does not use Spring Data Commons module. ･ CVE-2018-1260: Portal does not use Spring Security Oauth2 module. ･ CVE-2018-1263: Portal does not use Spring Integration Zip module.