Skip to main content

Question

 Fabian Maschotta (FabianM3)
Capgemini Germany

Capgemini Germany
DE
FabianM3 Member since 2022 1 post
Capgemini Germany
Posted: Jul 7, 2023
Last activity: Jul 10, 2023
Posted: 7 Jul 2023 4:35 EDT
Last activity: 10 Jul 2023 10:11 EDT
Solved

Spring Framework CVE-2016-1000027

Hello,

we have a request from our customer if Pega is using version CVE-2016-1000027 ([email protected]) of SpringFramework in any way?

All I found now is the following link: https://docs-previous.pega.com/security-advisory/security-advisory-spring-framework-vulnerability#:~:text=Spring%20is%20only%20used%20for,request%20mapping%20and%20parameter%20binding).

in which only the versions CVE-2022-xxx are addressed.

Thanks a lot!

To see attachments, please log in.
Pega Platform 8.6.2
Security
Government
System Architect

  • Reply

Accepted Solution

Posted: 1 year ago
Updated: 1 year ago
Posted: 7 Jul 2023 7:39 EDT
Updated: 10 Jul 2023 10:11 EDT
Marije Schillern (MarijeSchillern)
MOD
Senior Knowledge Management Specialist
Pegasystems Inc.
GB

@FabianM3 The CVE-2016-1000027  description is for 5.3.16:

 

CC

I could not find any mention of this CVE with Pega code.

 

Pega 8.7 used:

code

These Spring Core libraries were only used in a very few places in DSM code - the rest of the platform does not use Spring. 

Spring released versions 5.3.19 and 5.2.21 that also fixed the CVE-2022-22968 vulnerability in addition to the earlier vulnerabilities. More info here: https://spring.io/blog/2022/04/13/spring-framework-5-3-19-and-5-2-21-available-now

Our most recent Pega Patch already upgraded  to  5.3.18 and on top of that much was refactored to remove direct spring usage.  As of 8.8.1 spring-core is  5.3.20.

Also check the Resolved Issues page for 'Spring core versions updated' solutions listed there.

Show More

@FabianM3 The CVE-2016-1000027  description is for 5.3.16:

 

CC

I could not find any mention of this CVE with Pega code.

 

Pega 8.7 used:

code

These Spring Core libraries were only used in a very few places in DSM code - the rest of the platform does not use Spring. 

Spring released versions 5.3.19 and 5.2.21 that also fixed the CVE-2022-22968 vulnerability in addition to the earlier vulnerabilities. More info here: https://spring.io/blog/2022/04/13/spring-framework-5-3-19-and-5-2-21-available-now

Our most recent Pega Patch already upgraded  to  5.3.18 and on top of that much was refactored to remove direct spring usage.  As of 8.8.1 spring-core is  5.3.20.

Also check the Resolved Issues page for 'Spring core versions updated' solutions listed there.

Please also note Pega Extended Support:

extended

Show Less
To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice