DevTest 10.4 High Vulnerabilities (Apache Tomcat, Apache-XML Batik, spring-framework)

Document ID : KB000118062
Last Modified Date : 29/10/2018
Show Technical Document Details
Issue:
We have done BD scan and found around 20 High vulnerabilities in 10.4. Can you please let us know when these can be fixed. We are currently using DevTest 10.3 And if we are going to go for DevTest 10.4 when would be the time by which you think the version would be completely available? Is it going to be a patch or is it going to be a full installation on all the boxes for DevTest 10.4? It is ideal if you can provide response at the earliest. Please let me knw if u need any further info Thanks! Vishnu
Resolution:
This is the suggested below changes: 

All jar files are attached to this case and can be found in the Manage Attachments section of this case under the files_from_ca folder. 

1. Replace all the occurrences of tomcat-juli-9.0.1.jar with the attached tomcat-juli-9.0.10.jar in DevTest installation. You can find all the occurrences by doing a search for 9.0.1 jar. 

2. Replace batik-xml-1.7.jar with the attached batik-xml-1.10.jar 

3. Replace all the occurrences of spring-tx-4.3.14.RELEASE.jar with the attached spring-tx-4.3.16.RELEASE.jar 

4. Replace all the occurrences of spring-webmvc-4.3.8.RELEASE.jar with the attached spring-webmvc-4.3.16.RELEASE.jar 

After replacing all the jars please restart all the servers. 

After the update, please re-run your scan, and let me know if these vulnerabilities are resolved. 

NOTE/Suggestion : Replacing the jar as outlined above comes with a risk of possibly breaking few features on DevTest, And there is no way for us to know which features might get affected by these version changes. So you will need to be cautious. The general recommendation is to wait for the next release of DevTest in which these vulnerabilities will be resolved. 

These fixes are only for the high vulnerabilities listed below: 

Apache Tomcat 9.0.1 apache-jakartatomcat5 10439010 CVE-2018-8014 High 7.5 
Apache-XML Batik 1.7 apache-xmlbatik 800075 CVE-2018-8013 High 7.5 
spring-framework 4.3.14.RELEASE springframework1869467 11371727 CVE-2018-1270 High 7.5 
spring-framework 4.3.14.RELEASE springframework1869467 11371727 CVE-2018-1275 High 7.5 
spring-framework 4.3.8.RELEASE springframework1869467 9069016 CVE-2018-1275 High 7.5 
spring-framework 4.3.8.RELEASE springframework1869467 9069016 CVE-2018-1270 High 7.5