Two CVE’s for New Spring4Shell Zero-Day Vulnerability:
- CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression
https://tanzu.vmware.com/security/cve-2022-22963
- CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
https://tanzu.vmware.com/security/cve-2022-22965
Is CA App Synthetic Monitor impacted by this vulnerability?
All Supported Environments
The Broadcom Agile Operations Development has investigated this and determined that ASM is not vulnerable, because:
1) jmeter samplers using spring library are banned - if a jmeter script with such samplers is uploaded the script is rejected
2) jmeter agent runs on java 1.8 (java 1.9 is needed to be vulnerable)
Therefore no action is required by customer or Broadcom
*** As of 22 April 2022 the Spring Framework has been complete removed from Jmeter on all public monitoring stations
additional info via 33096567