Two CVE’s for New Spring4Shell Zero-Day Vulnerability:
- CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression
https://tanzu.vmware.com/security/cve-2022-22963
- CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
https://tanzu.vmware.com/security/cve-2022-22965
Is CA Workload Automation DE (dSeries) impacted by this vulnerability?
1. ESP dSeries (WA DE) Product team analyzed the following vulnerabilities and it is not impacted
https://nvd.nist.gov/vuln/detail/CVE-2022-22947
https://nvd.nist.gov/vuln/detail/CVE-2022-22950
https://nvd.nist.gov/vuln/detail/CVE-2022-22965
https://nvd.nist.gov/vuln/detail/CVE-2022-22963
2. Workload Automation Agents do not use Spring Framework, and are not impacted by this vulnerabilities.