Spring4Shell ZERO-day exploit CVE-2022-22963 and CVE-2022-22965 vulnerability for CA Service Operations Insight (SOI)
search cancel

Spring4Shell ZERO-day exploit CVE-2022-22963 and CVE-2022-22965 vulnerability for CA Service Operations Insight (SOI)

book

Article ID: 238524

calendar_today

Updated On:

Products

CA Service Operations Insight (SOI)

Issue/Introduction

Two CVE’s for New Spring4Shell Zero-Day Vulnerability:

- CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

https://tanzu.vmware.com/security/cve-2022-22963

 - CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

https://tanzu.vmware.com/security/cve-2022-22965

 

Is CA Service Operations Insight (SOI) impacted by this vulnerability?

Environment

CA Service Operations Insight

SOI (Application Server, UI Server, Integration Services, MQ Server, Store Indexer, UCF Broker, Catalyst container, EEM 12.6.3, uniCABI 7.1.1)

SOI connectors (APM, Remedy, Helpdesk, UIM, SCOM, ServiceNow, SNMP)

Cause

Spring4Shell: New RCE vulnerability uncovered in Java framework

 

Resolution

 SOI is not vulnerable to CVE-2022-22965 and CVE-2022-22963.

 

Additional Information

CVE-2022-22965 - SOI is not vulnerable given SOI is still running on JRE 1.8

CVE-2022-22963 - SOI is not vulnerable given SOI is not using the vulnerable library