search cancel

Spring4Shell ZERO-day exploit CVE-2022-22963 and CVE-2022-22965 vulnerability for CA Release Automation (Nolio)

book

Article ID: 238520

calendar_today

Updated On:

Products

CA Release Automation - DataManagement Server (Nolio) CA Release Automation - Release Operations Center (Nolio) CA Release Automation Connector

Issue/Introduction

Two CVE’s for New Spring4Shell Zero-Day Vulnerability:

- CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

https://tanzu.vmware.com/security/cve-2022-22963

 - CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

https://tanzu.vmware.com/security/cve-2022-22965

 

Is CA Release Automation (Nolio) impacted by this vulnerability?

Resolution

CVE-2022-22963: 

This vulnerability is exploited by use of Spring Cloud Function. Nolio does not use Spring Cloud Function. 

 

CVE-2022-22965: 

There are a couple of prerequisites for exploiting this vulnerability. One of those prerequisites is using JDK9+. Nolio does not support/use JDK9+. Nolio uses JRE8+