About API-GW Spring Framework vulnerability

Document ID : KB000077127
Last Modified Date : 18/05/2018
Show Technical Document Details
Question:
Question: Question about the following CEVs. 
   ・  CVE-2018-1270 (vulnerability in Spring Framework)
   ・  CVE-2018-1271 (Directory Traversal with Spring MVC on Windows)
   ・  CVE-2018-1272 (Multipart Content Pollution with Spring Framework)
   ・  CVE-2018-1273 ( RCE with Spring Data Commons)
   ・  CVE-2018-1274 ( Denial of Service with Spring Data)
   ・  CVE-2018-1257 ( ReDoS Attack with spring-messaging)
   ・  CVE-2018-1258 (Unauthorized Access with Spring Security Method Security)
   ・  CVE-2018-1259 ( XXE with Spring Data’s XMLBeam integration)
   ・  CVE-2018-1260 ( Remote Code Execution with spring-security-oauth2)
   ・  CVE-2018-1261 ( Unsafe Unzip with spring-integration-zip)
   ・  CVE-2018-1263 ( Unsafe Unzip with spring-integration-zip)
Does API Gateway take the influence of the security vulnerability? If so, does the CA provide that FIX?
Answer:
Those CVEs are NOT affecting our API Gateway... 

CVE-2018-1270: Gateway does not use spring-messaging module/feature, hence not affected 

CVE-2018-1271: This vulnerability is specific server components running on Windows OS. 

CVE-2018-1272: Gateway does not use multipartRequest module/feature from Spring Framework, hence not affected.

CVE-2018-1273: 
CVE-2018-1274: Gateway is not affected by the vulnerability reported on Spring Data Commons  as Gateway do not use Spring Data Commons and other mentioned modules out of Spring Framework.

CVE-2018-1257: Gateway does not use spring-messaging module.

CVE-2018-1258: Gateway does not use Spring Security module.

CVE-2018-1259: Gateway does not use Spring Data Commons module.

CVE-2018-1260: Gateway does not use Spring Security Oauth2 module.

CVE-2018-1261:
CVE-2018-1263: Gateway does not use Spring Integration Zip module.