Two CVEs for new Spring4Shell Zero-Day Vulnerability:
CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression
CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
Is Service Catalog vulnerable to the above Spring4Shell vulnerabilities?
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
This vulnerability affects all versions of Spring versions listed below:
Service Catalog 17.2 and 17.3
All Supported Operating Systems
Yes, Service Catalog is indeed vulnerable, but only CVE-2022-22965 is applicable to Service Catalog.
Temporary Workaround - upgrading Service Catalog’s Tomcat to 8.5.78 version. Ignore this if the Service Catalog Tomcat version is already updated to the latest version 8.5.78 version.
1. Download the Apache Tomcat 8.5.78 from http://archive.apache.org/dist/tomcat/tomcat-8/v8.5.78/bin and download apache-tomcat-8.5.78-windows-x86.zip
2. Login to your CA Service Catalog server and stop the CA Service Catalog service.
3. Double click on usm.cmd located under the USM_HOME directory (i.e. CA Service Catalog install folder). This will launch the CA Service Catalog command prompt.
4. Run “ant upgrade-tomcat” and provide the required details.
Note: If Service Catalog is at version 17.3 RU13 and if ant.zip is not extracted correctly under the USM_HOME/bin/ant folder, then extract the ant.zip manually which is available under USM_HOME/bin/ant folder, before running the ant command.
5. Restart the CA Service Catalog services.
Long Term Remediation
Service Catalog (Spring4Shell CVE-2022-22965) Hot Fix has been published and is available for download from the Broadcom Support portal.
A couple of notes:
1. The Service Catalog (Spring4Shell CVE-2022-22965) Hot Fix has a pre-requisite of 17.3 RU13. Details on installing RU13 can be located at: https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/ca-service-management/17-3/installing/Installing-CA-Service-Management-17-3-0-13.html
2. As always, we recommend testing all changes in a non-production environment first and ensuring that there is a valid server(s) and MDB backup.
Note: Service Catalog 17.2 customers should consider upgrading to 17.3 to use the long-term remediation patch or apply the workaround described in this KB article as a workaround to reduce the impact of this vulnerability.