search cancel

UIM and Spring4Shell - CVE-2022-22963 and CVE-2022-22965

book

Article ID: 238282

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM) Unified Infrastructure Management for Mainframe

Issue/Introduction

Is UIM impacted by Spring4Shell vulnerability CVE-2022-22963 and/or CVE-2022-22965?

Cause

CVE-2022-22963: In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
 
CVE-2022-22965: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment.

Environment

Release : ALL

Component : UIM - SECURITY VULNERABILITIES

Resolution

Two potential vulnerabilities have been identified as CVE-2022-22963 and CVE-2022-22965 affecting certain implementations of Spring Framework.

Our security teams have determined that UIM is NOT vulnerable.

UIM uses JDK8 whereas JDK9+ is required for CVE-2022-22965.

UIM is not using the routing functionality described in CVE-2022-22963.

Therefore UIM is not impacted by either vulnerability.  

This includes all components including UIM CABI (internal and bundled).

See also:

Broadcom Security Advisories - Broadcom Agile Operations Software Security Advisory for Spring Framework CVE-2022-22965 Vulnerability

Additional Information

https://nvd.nist.gov/vuln/detail/CVE-2022-22963

https://nvd.nist.gov/vuln/detail/CVE-2022-22965

changelog:
 
Updated 4/7/2022 at 8:28 AM ET by Steve Danseglio: added official link to Broadcom Security Advisory citing these Security Vulnerabilities
Updated 4/3/2022 at 2:40pm ET by Jason Allen: updated KB for readability and added confirmation that  UIM CABI is also not vulnerable.
Updated 4/1/2022 at 9:55pm ET by Jason Allen: updated KB to indicate UIM is not vulnerable
Updated 3/31/2022 at 1:27pm ET by Jason Allen : updated to include both related vulnerabilities (-22963 and -22965)
KB created 3/31/2022 10:54am ET by Jason Allen