Release 3.7 vulnerabilities list

CVE-2016-1000027

Spring 5.3.25, 5.3.33

Shibboleth

Websec,

AdService

Dmz

Not affected.

Shibboleth doesn’t use Java deserialization in any API endpoints

https://www.tenable.com/security/research/tra-2016-20

This is not accepted as security issue on Spring codebase, rather an insecure setup using Java deserialization from untrusted sources.

The final resolution: Verridium doesn’t use Java serialization on any API endpoints and therefore isn’t affected.

Resolution: upgrade spring to 6.0.0 up