search cancel

Spring4Shell ZERO-day exploit CVE-2022-22963 and CVE-2022-22965 vulnerability for CA Continuous Delivery Director (CDD)

book

Article ID: 238531

calendar_today

Updated On:

Products

Continuous Delivery Director Continuous Delivery Director SAAS

Issue/Introduction

Two CVE’s for New Spring4Shell Zero-Day Vulnerability:

 

Is CA Continuous Delivery Director (CDD) impacted by either of these vulnerabilities?

 

Resolution

In short:

  • CDD SaaS: not impacted by these vulnerabilities at all.
  • OnPrem CDD:
    • If your CDD OnPrem is using Java 8.x - CDD is not impacted by these vulnerabilities. 
    • If your CDD OnPrem is using Java 9+, please see below for additional details.

 

CVE-2022-22963: 

This vulnerability is exploited by use of Spring Cloud Function. CA Continuous Delivery Director (CDD) does not use Spring Cloud Functions. This is true for CDD SaaS and CDD OnPrem.  

 

CVE-2022-22965: 

There are a couple of prerequisites for exploiting this vulnerability. One of those prerequisites is using JDK9+. 

  • CDD SaaS: CDD SaaS is not impacted by this vulnerability as CDD SaaS does not use JDK9. 
  • CDD OnPrem: CDD officially supports Java JRE 8.x and and Java JRE 11.0, not JDK9. It is recommended to evaluate your environment to ensure that JDK9+ is not being used. If it is using JDK9, options for mitigating this vulnerability:
    • Replace JDK9+ is used, replace it with the latest version of Java JRE 8.x; and/or
    • Use tomcat 8.5.78 which handles this vulnerability. 

 

 

 

 

Additional Information

Spring Framework RCE, Early Announcement