search cancel

Spring4Shell ZERO-day exploit CVE-2022-22963 and CVE-2022-22965 vulnerability for CA Workload Automation DE (dSeries)

book

Article ID: 238516

calendar_today

Updated On:

Products

DSERIES- SERVER CA Workload Automation DE - System Agent (dSeries) CA Workload Automation DE - Scheduler (dSeries) CA Workload Automation DE - Business Agents (dSeries)

Issue/Introduction

Two CVE’s for New Spring4Shell Zero-Day Vulnerability:

- CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

https://tanzu.vmware.com/security/cve-2022-22963

 - CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

https://tanzu.vmware.com/security/cve-2022-22965

 

Is CA Workload Automation DE (dSeries) impacted by this vulnerability?

Resolution

 1. ESP dSeries (WA DE) Product team analyzed the following vulnerabilities and it is not impacted  

                           https://nvd.nist.gov/vuln/detail/CVE-2022-22947

                                https://nvd.nist.gov/vuln/detail/CVE-2022-22950

                               https://nvd.nist.gov/vuln/detail/CVE-2022-22965 

                                https://nvd.nist.gov/vuln/detail/CVE-2022-22963      

2.  Workload Automation Agents do not use Spring Framework, and are not impacted by this vulnerabilities.