Skip to main content
Support

KB Article #182833

QualysScan | Vulnerability | Spring Framework

Problem

Our Qualys Scan detected the following outdated spring framework jars on the following locations:

/>/integrator/local/java/lib$ ls -l *spring*
-rw-r--r-- 1 axway axway 372550 Nov 22 2022 spring-aop-5.2.2.RELEASE.jar
-rw-r--r-- 1 axway axway 684673 Nov 22 2022 spring-beans-5.2.2.RELEASE.jar
-rw-r--r-- 1 axway axway 1217810 Nov 22 2022 spring-context-5.2.2.RELEASE.jar
-rw-r--r-- 1 axway axway 1431881 Nov 22 2022 spring-core-5.2.2.RELEASE.jar
-rw-r--r-- 1 axway axway 281807 Nov 22 2022 spring-expression-5.2.2.RELEASE.jar
-rw-r--r-- 1 axway axway 7302 Nov 22 2022 spring-instrument-5.2.2.RELEASE.jar
-rw-r--r-- 1 axway axway 406637 Nov 22 2022 spring-jdbc-5.2.2.RELEASE.jar
-rw-r--r-- 1 axway axway 261758 Nov 22 2022 spring-jms-5.2.2.RELEASE.jar
-rw-r--r-- 1 axway axway 200811 Nov 22 2022 spring-orm-5.2.2.RELEASE.jar
-rw-r--r-- 1 axway axway 63906 Nov 22 2022 spring-oxm-5.2.2.RELEASE.jar
-rw-r--r-- 1 axway axway 314250 Nov 22 2022 spring-tx-5.2.2.RELEASE.jar
-rw-r--r-- 1 axway axway 1422295 Nov 22 2022 spring-web-5.2.2.RELEASE.jar

How to fix these vulnerability?

Resolution

Integrator does not use the spring framework in Integrator implementation. Spring Framework not used and Java < 9
for this vulnerability see also https://support.axway.com/en/news/view/id/1358/lan...

Indeed, Integrator is not vulnerable because the Spring Framework is not used and the Java version delivered with 3.7.3 SP16 is lower than java 9.

However, if you find there are some spring jars delivered by JRE itself as external libraries. Those drivers are embedded in each JRE, but they are never used or loaded in the classpath by Integrator.

As an extra-precaution, you can move them somewhere on the server/machine/whatever, outside Integrator installation.

The idea is that every scanning tool, like Qualys will search about the name and version of a specific jar without checking the classes inside the jar or if the library it’s used or not.

If such information will be found, surprise, the product is vulnerable because it contains the jar. therefore, what we obtain is a false-positive information in this incident.