ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Spring Vulnerabilities: CVE-2022-22963 CVE-2022-22965 and Dollar Universe

book

Article ID: 238414

calendar_today

Updated On:

Products

CA Automic Dollar Universe

Issue/Introduction

The following vulnerabilities were announced named as new Spring4Shell Zero-Day Vulnerabilities:

- CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

https://tanzu.vmware.com/security/cve-2022-22963

 - CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

https://tanzu.vmware.com/security/cve-2022-22965

 - CVE-2022-22950: Spring Expression DoS Vulnerability

https://tanzu.vmware.com/security/cve-2022-22950

Is Dollar Universe impacted by these vulnerabilities?

Cause

Defect in third party libraries

Environment

Release : 6.x, 7.x

Component : DOLLAR UNIVERSE

Resolution

Dollar Universe does not meet the requirement to be vulnerable with CVE-2022-22963 and CVE-2022-22965 vulnerabilities as stated on:

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

or 

https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/

Additional Information

Spring core is ONLY used in the following components:

  • DUX
  • UVMS
  • Reporter
  • du_webservices

These components will have the spring version updated in the future (6.10.101 and 7.0.11).