Spring4Shell ZERO-day exploit CVE-2022-22963 and CVE-2022-22965 vulnerability for CA Agile Requirements Designer (ARD)

search cancel

Spring4Shell ZERO-day exploit CVE-2022-22963 and CVE-2022-22965 vulnerability for CA Agile Requirements Designer (ARD)

book

Article ID: 238523

calendar_today

Updated On:

Products

CA Agile Requirements Designer

Issue/Introduction

Two CVE’s for New Spring4Shell Zero-Day Vulnerability:

- CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

https://tanzu.vmware.com/security/cve-2022-22963

- CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

https://tanzu.vmware.com/security/cve-2022-22965

Is CA Agile Requirements Designer (ARD) impacted by this vulnerability?

Resolution

Agile Requirements Designer Studio is not affected by CVE-2022-22963 and CVE-2022-22965 and customers who do not use ARD Hub are not impacted.

Agile Requirements Designer Hub is not vulnerable to CVE-2022-22963.
Agile Requirements Designer Hub is vulnerable to CVE-2022-22965.

The ARD Hub development team has completed the fixes for the hub at this time.

These fixes contain the below:
We will implement the Spring official workaround (disallowed fields).
For the dockerized installation of ARD Hub, we will also upgrade the Tomcat version deployed within our containers.

NOTE: Fixes are now published to the download section of support

For clients who have done a manual install of ARD hub and installed Tomcat, the recommendation of first defense is to upgrade their Tomcat installations to a version > 9.0.62 per the tomcat documentation.

Attachments

Feedback

thumb_up Yes

thumb_down No