UIM and Spring4Shell - CVE-2022-22963 and CVE-2022-22965
search cancel

UIM and Spring4Shell - CVE-2022-22963 and CVE-2022-22965


Article ID: 238282


Updated On:


DX Unified Infrastructure Management (Nimsoft / UIM) DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM) Unified Infrastructure Management for Mainframe


Is UIM impacted by Spring4Shell vulnerability CVE-2022-22963 and/or CVE-2022-22965?


Release : ALL



CVE-2022-22963: In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
CVE-2022-22965: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment.


Two potential vulnerabilities have been identified as CVE-2022-22963 and CVE-2022-22965 affecting certain implementations of Spring Framework.

Our security teams have determined that UIM is NOT vulnerable.

UIM uses JDK8 whereas JDK9+ is required for CVE-2022-22965.

UIM is not using the routing functionality described in CVE-2022-22963.

Therefore UIM is not impacted by either vulnerability.  

This includes all components including UIM CABI (internal and bundled).

See also:

Broadcom Security Advisories - Broadcom Agile Operations Software Security Advisory for Spring Framework CVE-2022-22965 Vulnerability

Additional Information



Updated 4/7/2022 at 8:28 AM ET by Steve Danseglio: added official link to Broadcom Security Advisory citing these Security Vulnerabilities
Updated 4/3/2022 at 2:40pm ET by Jason Allen: updated KB for readability and added confirmation that  UIM CABI is also not vulnerable.
Updated 4/1/2022 at 9:55pm ET by Jason Allen: updated KB to indicate UIM is not vulnerable
Updated 3/31/2022 at 1:27pm ET by Jason Allen : updated to include both related vulnerabilities (-22963 and -22965)
KB created 3/31/2022 10:54am ET by Jason Allen