ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Spring4Shell: CVE-2022-22963 CVE-2022-22965 - Multiple Product

book

Article ID: 238527

calendar_today

Updated On:

Products

CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager CA Service Desk Manager CA Service Desk Manager - Xtraction CA Business Service Insight CA IT Asset Manager CA IT Asset Manager Asset Portfolio Management CA Process Automation Base CA Plex Embedded Security Critical System Protection CA Capacity Manager CA Client Automation CA Client Automation - Asset Intelligence CA Client Automation - Asset Management CA Client Automation - Desktop Migration Manager CA Client Automation - IT Client Manager CA Client Automation - Patch Manager CA Client Automation - Remote Control CA Client Automation - Software Delivery CA Configuration Automation CA Application Delivery Analysis (NetQoS / ADA) CA Application Delivery Analysis MTP (NetQoS / ADA)

Issue/Introduction

Two CVE’s for New Spring4Shell Zero-Day Vulnerability:

- CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

https://tanzu.vmware.com/security/cve-2022-22963

 - CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

https://tanzu.vmware.com/security/cve-2022-22965

 

Environment

All Supported Versions

 

Resolution

The following products are not impacted by Spring Vulnerabilities: CVE-2022-22963 CVE-2022-22965 

 
APPLICATION DELIVERY ANALYSIS
BUSINESS SERVICE INSIGHT
CAPACITY MANAGER
CLIENT AUTOMATION
CONFIGURATION AUTOMATION
IT ASSET MANAGER
IT PROCESS AUTOMATION
SERVICE DESK MANAGER
SERVICE MANAGEMENT
EEM
CAPKI
UNIFIED COMMUNICATIONS MONITOR