Support Content Notification - Support Portal

Difficult to exploit Java SDK Updates in ASCG

Product/Component

Brocade ASC-Gateway OVA

1 more products

Notification Id

35945

Last Updated

15 July 2025

Initial Publication Date

15 July 2025

Status

CLOSED

Severity

LOW

CVSS Base Score

Varies

WorkAround

Affected CVE

CVE-2024-20918, CVE-2024-20952, CVE-2024-20926, CVE-2024-21002, CVE-2024-21003, CVE-2024-21131, CVE-2024-21138, CVE-2024-21140, CVE-2024-21144, CVE-2024-21147, CVE-2024-47561

Brocade Security Advisory ID	BSA-2025-3052
Component	Java

Summary

Difficult to exploit vulnerabilities in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Unspecified vulnerabilities in Java SE related to the Security component could allow a remote attacker to cause high confidentiality impact and high integrity impact

Brocade ASCG Java components are in a containerized environment and are not exploitable by any user or administrator.

CP-Kafka Updates

Unspecified vulnerabilities in Java SE related to the Security component could allow a remote attacker to cause high confidentiality impact and high integrity impact: CVE-2024-20918, CVE-2024-20952, CVE-2024-20926, CVE-2024-21002, CVE-2024-21003, CVE-2024-21131, CVE-2024-21138, CVE-2024-21140, CVE-2024-21144, CVE-2024-21147

CP-Schema Update

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue: CVE-2024-47561

Products Not Affected

Brocade Fabric OS
[VEX Justification: Component_not_present]
Brocade SANnav
[VEX Justification: Vulnerable_code_cannot_be_controlled_by_adversary]
Brocade ASCG
[VEX Justification: Vulnerable_code_cannot_be_controlled_by_adversary]

Solution

While Brocade SANnav is not exploitable, security updates for Azul Zulu Java and Oracle critical patch updates provided in Brocade SANnav 2.3.1b and 2.4.0
While Brocade ASCG is not exploitable, security update provided in Brocade ASCG 3.3.0

Revision History

Version	Change	Date
1.0	Initial Publication	July 15, 2025

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.