Two CVE’s for New Spring4Shell Zero-Day Vulnerability:
- CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression
https://tanzu.vmware.com/security/cve-2022-22963
- CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
https://tanzu.vmware.com/security/cve-2022-22965
Is CA Release Automation (Nolio) impacted by this vulnerability?
CVE-2022-22963:
This vulnerability is exploited by use of Spring Cloud Function. Nolio does not use Spring Cloud Function.
CVE-2022-22965:
There are a couple of prerequisites for exploiting this vulnerability. One of those prerequisites is using JDK9+. Nolio does not support/use JDK9+. Nolio uses JRE8+