ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Spring4Shell ZERO-day exploit CVE-2022-22963 and CVE-2022-22965 vulnerability for CA App Synthetic Monitor

book

Article ID: 238526

calendar_today

Updated On:

Products

CA App Synthetic Monitor

Issue/Introduction

Two CVE’s for New Spring4Shell Zero-Day Vulnerability:

- CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

https://tanzu.vmware.com/security/cve-2022-22963

 - CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

https://tanzu.vmware.com/security/cve-2022-22965

 

Is CA App Synthetic Monitor impacted by this vulnerability?

Environment

All Supported  Environments

Resolution

The Broadcom Agile Operations Development has investigated this and determined that ASM is not vulnerable, because:
1) jmeter samplers using spring library are banned - if a jmeter script with such samplers is uploaded the script is rejected
2) jmeter agent runs on java 1.8 (java 1.9 is needed to be vulnerable)

 

Therefore no action is required by customer or Broadcom

 

*** As of 22 April 2022 the Spring Framework has been complete removed from Jmeter on all public monitoring stations

Additional Information

additional info via 33096567