Two CVE’s for New Spring4Shell Zero-Day Vulnerability:
- CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression
https://tanzu.vmware.com/security/cve-2022-22963
- CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
https://tanzu.vmware.com/security/cve-2022-22965
Is CA Service Operations Insight (SOI) impacted by this vulnerability?
CA Service Operations Insight
SOI (Application Server, UI Server, Integration Services, MQ Server, Store Indexer, UCF Broker, Catalyst container, EEM 12.6.3, uniCABI 7.1.1)
SOI connectors (APM, Remedy, Helpdesk, UIM, SCOM, ServiceNow, SNMP)
Spring4Shell: New RCE vulnerability uncovered in Java framework
SOI is not vulnerable to CVE-2022-22965 and CVE-2022-22963.
CVE-2022-22965 - SOI is not vulnerable given SOI is still running on JRE 1.8
CVE-2022-22963 - SOI is not vulnerable given SOI is not using the vulnerable library