search cancel

Spring4Shell 0-day Remote Code Execution in Spring framework

book

Article ID: 238270

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine CA Automic One Automation

Issue/Introduction

The following vulnerabilities were announced:

https://tanzu.vmware.com/security/cve-2022-22963
https://tanzu.vmware.com/security/cve-2022-22965
https://tanzu.vmware.com/security/cve-2022-22950

Is Automic Workload Automation impacted by these vulnerabilities?

The Automic Core Components (Automation Engine, WPs, CPs, JWPs, JCPs, REST API) and the AWI are not affected by this vulnerability.

Impacted components
AAI Connector
RA Web Service REST Agent (please note this is NOT the same as the Automic REST API)
AAKE Install Operator
AE SAPI (this is a sub-component used in the ServiceNow Connector or SNSC)
Infrastructure Manager
CDA Petstore demo application
Analytics (please see Additional Information below)

Please check back in on this article often as we have updates we will update this article.

Resolution

Workaround:
For all impacted components, the workaround would be to start these with java version 8.

Component information (as of 4/4/2022):
AAI Connector - a hotfix is planned to be released within the next 3 weeks which will use the updated version of the Spring libraries

AAKE Install Operator - a hotfix is planned to be released within the next 3 weeks which will use the updated version of the Spring libraries

AE SAPI - a hotfix is planned to be released within the next 3 weeks which will use the updated version of the Spring libraries

Analytics - a hotfix has been release for Analytics v21. With regard to Analytics 2.3 that is compatible with AE v12.3: this component has no known exploit at this time that is considered high risk. Due to the fact that updating existing libraries would mean breaking compatibility with Java 8, it has been decided to leave the component as is. See further explanation in Additional Information.

CDA Petstore demo application - no fix is planned for this demo application.  The application should not be used

Infrastructure Manager - a hotfix is planned to be released within the next 3 weeks which will use the updated version of the Spring libraries

RA Web Service REST Agent - the impacted library is not used during the running of the agent; the Spring library has been removed from this component with the RA Web Service REST solution release 4.6.2

 

Broadcom is investigating other components to see the impact this vulnerability might have. 
Please check back in on this article often as we have updates we will update this article.

HF2 for v21.0.2 has been released as of APR 29 which contains the fix for the v21 release.

 

Additional Information

Analytics 2.3 (Automic Automation 12.3)

https://nvd.nist.gov/vuln/detail/CVE-2022-22963 - Spring Cloud: Analytics does not use the Spring Cloud library, this vulnerability does not impact Analytics.
https://nvd.nist.gov/vuln/detail/CVE-2022-22965 - RCE: Based on current CVE information, the exploit for this vulnerability requires Java 9 and the application must be deployed as a war file. Since Analytics is not deployed as a war file this does not impact Analytics.
https://nvd.nist.gov/vuln/detail/CVE-2022-22950 - SpEL Expressions: This vulnerability is relevant but is considered medium risk.

There is a large risk that updating Analytics 2.3 to use the latest spring libraries would break the use of Analytics.  Since there is no high risk to Analytics, the decision has been made to keep this as-is.  The libraries have been updated in the 21.0 implementation of Analytics.