Third-party software vulnerabilities in Advanced Authentication 9.1 SP5 CP1 (9.1.5.1)
search cancel

Third-party software vulnerabilities in Advanced Authentication 9.1 SP5 CP1 (9.1.5.1)

book

Article ID: 395756

calendar_today

Updated On:

Products

CA Strong Authentication CA Advanced Authentication CA Advanced Authentication - Risk Authentication (RiskMinder / RiskFort) CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort)

Issue/Introduction

When running a vulnerability scan against Advanced Authentication, below Common Vulnerabilities and Exposures (CVE) are reported by vulnerability scanner. This article provides information on the Hotfix, which includes updates addressing a few security vulnerabilities.

The following Spring Framework and related component vulnerabilities have been assessed and are addressed as part of this hotfix:

CVE Artifact Version
CVE-2016-1000027 spring-web 5.3.39
CVE-2019-17495 org.webjarsswagger-ui 3.0.19
sonatype-2024-3350 commons-collections 3.2.2
CVE-2024-38816 spring-webmvc 5.3.39
sonatype-2020-1349 commons-dbcp 1.4
sonatype-2022-6438 jackson-core 2.13.5
CVE-2024-47855 json-lib 2.4
CVE-2024-12798 logback-core 1.5.11
CVE-2024-38820 spring-context 5.3.39
CVE-2024-47554 commons-io 2.11.0
CVE-2024-21742 apache-mime4j-core 0.7.2
sonatype-2017-0492 mail 1.4
CVE-2024-38829 spring-ldap-core 2.4.1
CVE-2024-38828 Spring Framework 5.3.42
CVE-2024-38819 Spring framework 5.3.42 
 

The patch is intended for environments running Advanced Authentication 9.1 SP5 CP1 (version 9.1.5.1) only.

Environment

Advanced Authentication 9.1 SP5 CP1 (version 9.1.5.1) only

Resolution

Patch Availability

The Symantec Advanced Authentication product team has released hotfix over 9.1.5.1, which addresses above listed vulnerabilities.

  • Patch Name: AdvancedAuth-9.1.5.1-April2025-Hotfix

  • Download Location: KB attachment.

  • Applicable To:

    • Advanced Authentication version 9.1 SP5 CP1 (9.1.5.1)

    • Note: This patch is not compatible with versions below 9.1.5.1

Next Steps

  • Customers on version 9.1.5.1 are encouraged to download and apply Hotfix to address the above-listed vulnerabilities.

  • If you require assistance with patch application or testing in lower environments, please reach out to Broadcom Support.

Additional Information

  • The patch includes updated libraries for the Spring Framework and its dependencies, validated for compatibility with the current AA codebase.

  • There is no change in product behavior or configuration required post-patch installation.

  • The 9.1 SP5 CP2 release is planned in Dec 2025, pending further internal validation.

 

Attachments

Symantec-AdvAuth-9.1.5.1-HotFix.zip get_app
Instructions_for_hotfix.txt get_app
Powered by Wolken Software