search cancel

Spring4Shell ZERO-day exploit CVE-2022-22963 and CVE-2022-22965 vulnerability for CA App Synthetic Monitor


Article ID: 238526


Updated On:


CA App Synthetic Monitor


Two CVE’s for New Spring4Shell Zero-Day Vulnerability:

- CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

 - CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+


Is CA App Synthetic Monitor impacted by this vulnerability?


All Supported  Environments


The Broadcom Agile Operations Development has investigated this and determined that ASM is not vulnerable, because:
1) jmeter samplers using spring library are banned - if a jmeter script with such samplers is uploaded the script is rejected
2) jmeter agent runs on java 1.8 (java 1.9 is needed to be vulnerable)


Therefore no action is required by customer or Broadcom


*** As of 22 April 2022 the Spring Framework has been complete removed from Jmeter on all public monitoring stations

Additional Information

additional info via 33096567