Spring4Shell ZERO-day exploit CVE-2022-22963, CVE-2022-22965 and CVE-2022-22947, CVE-2022-22950 vulnerability for CA Workload Automation AE (Autosys) and iXP
search cancel

Spring4Shell ZERO-day exploit CVE-2022-22963, CVE-2022-22965 and CVE-2022-22947, CVE-2022-22950 vulnerability for CA Workload Automation AE (Autosys) and iXP

book

Article ID: 238514

calendar_today

Updated On:

Products

CA Workload Automation AE CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) CA Workload Automation AE - System Agent (AutoSys) CA Workload Automation iXP

Issue/Introduction

- CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression ( https://tanzu.vmware.com/security/cve-2022-22963 ) 

 - CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+  (https://tanzu.vmware.com/security/cve-2022-22965) 

- CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability (https://tanzu.vmware.com/security/cve-2022-22947 )

- CVE-2022-22950: Spring Expression DoS Vulnerability (https://tanzu.vmware.com/security/cve-2022-22950)

 

Is CA Workload Automation AE (Autosys) impacted by these vulnerabilities ?

Environment

All supported AutoSys Workload Automation versions

Resolution

CVE-2022-22963 - Remote code execution in Spring Cloud Function by malicious Spring Expression

AutoSys Workload Automation (Engine and WebUI/WCC) does not have any dependency on the Spring Cloud Function component. Therefore, AutoSys Workload Automation product is not vulnerable.

Embedded Entitlements Manager (EEM) does not bundle or have dependency on Spring Cloud Function, so not vulnerable

 

CVE-2022-22965 - Spring Framework RCE via Data Binding on JDK 9+

AutoSys Workload Automation product is bundled and works only with Java 8 but not with any later versions of Java.

AutoSys Engine - This does not have any dependency on the Spring framework. Hence, AutoSys Engine module is not vulnerable.

AutoSys WebUI (WCC) - This module ships and has dependency on the Spring framework. As per the analysis done based on the information published by Spring and other resources for the vulnerability CVE-2022-22965,  it is evident that this can be vulnerable only when a set of pre-conditions are met.

The preconditions are that we use: spring-webmvc or spring-webflux dependency AND Spring Framework version 5.3.x prior to 5.3.18, and all versions prior to 5.2.20 AND Java 9 Runtime Environment or above, regardless of the language version the application is compiled for  AND Deployed on Tomcat App Server as a WAR AND Spring Web MVC with parameter binding (enabled by default) AND Don’t have an allowlist of HTTP fields registered to be allowed or explicitly disallow fields which could cause malicious intent.

AutoSys WebUI uses spring-webmvc, bundles Spring framework 5.2.5 (or older based on the version of AutoSys), ships with Java 8 (it cannot run using Java 9 or later),  is not deployed as a WAR file but just as exploded folders, does not change any default Spring parameters, does not configure any allow/disallow list

While more details on this vulnerability are evolving, based on the information available to date on the ways to exploit this vulnerability, we do not see even AutoSys WebUI to be vulnerable, as this vulnerability can be exploited using the Modules feature introduced with Java 9.

Embedded Entitlements Manager (EEM) does not bundle or have dependency on Spring Framework, so not vulnerable

Workload Automation Agents are not impacted by the above two CVEs

 

CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability

AutoSys Workload Automation (Engine and WebUI/WCC) does not have any dependency on the Spring Cloud Gateway component. Therefore, AutoSys Workload Automation product is not vulnerable.

Embedded Entitlements Manager (EEM) does not bundle or have dependency on Spring Cloud Gateway, so not vulnerable

 

CVE-2022-22950: Spring Expression DoS Vulnerability

Autosys Engine - This does not have any dependency on the Spring framework. Hence, AutoSys Engine module is not vulnerable.

Autosys WebUI - WebUI is not impacted by this, there is no explicit way the specially constructed expressions are defined or used in WebUI.

Embedded Entitlements Manager (EEM) does not bundle or have dependency on Spring Framework, so not vulnerable

 

 

Workload Automation iXP -  iXP is not impacted by any of the above CVEs.

Additional Information

CVE-2022-22965 - Spring Framework RCE via Data Binding on JDK 9+
The actual cause is due to unforeseen access to Tomcat’s ClassLoader as a result of the new Module feature added in Java 9

NOTE:
These files can NOT be deleted manually as this will break the application.

Autosys R12.1 has this:
ls -al ./bin/lib/spring-webmvc.jar
-rw-r--r--. 1 autosys autosys 1028706 Oct 14 15:08 ./bin/lib/spring-webmvc.jar
[root@hostname   wcc]# unzip -p ./bin/lib/spring-webmvc.jar META-INF/MANIFEST.MF | grep "Bundle-Name\|Bundle-Version\|Implementation-Title\|Implementation-Version"
Implementation-Title: spring-webmvc
Implementation-Version: 5.3.22