Spring Framework CVE-2016-1000027

FabianM3 (Fabian Maschotta) July 7, 2023, 8:35am 1

Hello,

we have a request from our customer if Pega is using version CVE-2016-1000027 ([email protected]) of SpringFramework in any way?

All I found now is the following link: Pegasystems Documentation).

in which only the versions CVE-2022-xxx are addressed.

Thanks a lot!

MarijeSchillern (Marije Schillern) July 7, 2023, 11:39am 2

@FabianM3 The CVE-2016-1000027 description is for 5.3.16:

I could not find any mention of this CVE with Pega code.

Pega 8.7 used:

These Spring Core libraries were only used in a very few places in DSM code - the rest of the platform does not use Spring.

Spring released versions 5.3.19 and 5.2.21 that also fixed the CVE-2022-22968 vulnerability in addition to the earlier vulnerabilities. More info here: https://spring.io/blog/2022/04/13/spring-framework-5-3-19-and-5-2-21-available-now

Our most recent Pega Patch already upgraded to 5.3.18 and on top of that much was refactored to remove direct spring usage. As of 8.8.1 spring-core is 5.3.20.

Also check the Resolved Issues page for ‘Spring core versions updated’ solutions listed there.

Please also note Pega Extended Support:

Conversation		Replies	Views	Activity
CVE-2024-53677 vulnerability in PRPC System Management Universal SMA 7.3.1 General system-architect , security , communications-and-media , 7-1 , system-management-application	1	42	April 23, 2025
How to fix Tomcat 9.0 vulnerabilities in Pega Platform 8.3.1 General team-lead , security , communications-and-media , 8-3-1	1	175	March 9, 2022
Pent test finding for Vulnerable software in Pega application General security , data-integration , testing-applications , 8-7-4	1	91	May 15, 2024
CVEs & pega platform 7.4 General security , 7-4	1	205	March 21, 2022
Pega on-premises Apache Log4j Zero Day Vulnerability General security , system-administration , financial-services , 7-3-1	6	890	December 21, 2021