Question: Question about the following CVEs. ・ CVE-2018-1270 (vulnerability in Spring Framework) ・ CVE-2018-1271 (Directory Traversal with Spring MVC on Windows) ・ CVE-2018-1272 (Multipart Content Pollution with Spring Framework) ・ CVE-2018-1273 ( RCE with Spring Data Commons) ・ CVE-2018-1274 (Denial of Service with Spring Data) ・ CVE-2018-1258 (Unauthorized Access with Spring Security Method Security) ・ CVE-2018-1259 ( XXE with Spring Data’s XMLBeam integration) ・ CVE-2018-1260 ( Remote Code Execution with spring-security-oauth2) ・ CVE-2018-1263 ( Unsafe Unzip with spring-integration-zip) Does API Portal take the influence of the security vulnerability? If so, does the CA provide that FIX?
Environment
Release: Component: APIPRD
Resolution
・ CVE-2018-1270 : API Portal 3.x does not use Spring Messaging so it is not vulnerable. ・ CVE-2018-1271 : It is only an issue on Windows. Also Spring MVC is not used by the Portal 3.x ・ CVE-2018-1272 : multipart functionality of Spring is not used by the Portal 3.x ・ CVE-2018-1273 : Spring Data REST backed HTTP resources are not implemented on the Portal. Therefore, Portal 3.x are not vulnerable. ・ CVE-2018-1274 : Spring Data REST endpoints are not used by the Portal 3.x ・ CVE-2018-1258: Portal does not use Spring Security module. ・ CVE-2018-1259: Portal does not use Spring Data Commons module. ・ CVE-2018-1260: Portal does not use Spring Security Oauth2 module. ・ CVE-2018-1263: Portal does not use Spring Integration Zip module.