Spring Framework Open Redirect Vulnerability in dependencies of SEM Agent? CVE-2024-22243

Question

Our vulnerability scanner is reporting a vulnerable dependency in the agent folder C:\WINDOWS\SysWOW64\ContegoSPOP\ 
 Is anyone else having this issue? We are on the latest version of SEM, connector version is 62.262 and our agents are 2023.4.1 too. 
 nvd.nist.gov/.../CVE-2024-22243

jembor · Accepted Answer

In case anyone else has this question, the infosec team kindly referred me to this link. 
 SolarWinds SEM and Spring Framework: CVE-2024-22243

Albert06 · Answer

OK so I went into the Customer Portal and there is a knowledgebase article about the vulnerability. Short-answer, Solarwinds says the vulnerable feature in the Spring Framework is not used by the agent, so the vulnerability does not impact SEM. 
 
 SolarWinds SEM and Spring Framework: CVE-2024-22243 
 This article addresses vulnerabilities in SolarWinds&copy; Security Event Manager (SEM) and the Spring Framework. 
 Mar 13, 2024 &bull; Success Center

First Published Date 
 3/13/2024 4:08 PM

Last Published Date 
 3/13/2024 4:08 PM

Overview 
 
 In 2024, Spring Security released the security vulnerability described below: Applications that use URIComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to an open redirect attack OR an SSRF attack if the URL is used after passing validation checks. CVE-2024-22243 (&copy; 2024 National Institute of Standards and Technology, available at nvd.nist.gov , obtained on March 12, 2024) The vulnerability described in this CVE impacts numerous software companies.

Environment 
 SEM 2023.4

Cause 
 
 CVE-2023-21830

Resolution 
 
 This vulnerability required the use of URLComponentsBuilder, which is not used in the SolarWinds SEM product. Therefore, the vulnerability does not apply to SolarWinds SEM.

donrobert5 · Answer

https://www.solarwinds.com/information-security

Spring Framework Open Redirect Vulnerability in dependencies of SEM Agent? CVE-2024-22243

Top Replies