About Spring Framework vulnerability

Document ID : KB000076848
Last Modified Date : 15/05/2018
Show Technical Document Details
Question:
Question: Question about the following CEVs.
   ・  CVE-2018-1270 (vulnerability in Spring Framework) 
   ・  CVE-2018-1271 (Directory Traversal with Spring MVC on Windows)
   ・  CVE-2018-1272 (Multipart Content Pollution with Spring Framework)
   ・  CVE-2018-1273 ( RCE with Spring Data Commons)
   ・  CVE-2018-1274 (Denial of Service with Spring Data)
   ・  CVE-2018-1258 (Unauthorized Access with Spring Security Method Security)
   ・  CVE-2018-1259 ( XXE with Spring Data’s XMLBeam integration)
   ・  CVE-2018-1260 ( Remote Code Execution with spring-security-oauth2)
   ・  CVE-2018-1263 ( Unsafe Unzip with spring-integration-zip)
Does API Portal take the influence of the security vulnerability? If so, does the CA provide that FIX?
Answer:
・  CVE-2018-1270 : API Portal 3.x does not use Spring Messaging so it is not vulnerable.
・  CVE-2018-1271 : It is only an issue on Windows. Also Spring MVC is not used by the Portal 3.x
・  CVE-2018-1272 :  multipart functionality of Spring is not used by the Portal 3.x
・  CVE-2018-1273 : Spring Data REST backed HTTP resources are not implemented on the Portal. Therefore, Portal 3.x are not vulnerable.
・  CVE-2018-1274 :  Spring Data REST endpoints are not used by the Portal 3.x
・  CVE-2018-1258: Portal does not use Spring Security module.
・  CVE-2018-1259: Portal does not use Spring Data Commons module.
・  CVE-2018-1260: Portal does not use Spring Security Oauth2 module.
・  CVE-2018-1263: Portal does not use Spring Integration Zip module.