ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

CVE-2022-22965 Impact on Siteminder components


Article ID: 238601


Updated On:


CA Single Sign On Agents (SiteMinder) SITEMINDER


Is there any impact from the CVE-2022-22965 vulnerability on any of the Broadcom Siteminder components ? 

CVE-2022-22965 -->




Release : 12.8.x



- From the CVE details, these are the prerequisites for the exploit:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency


- Symantec Siteminder AdminUI comes with spring-webmvc or spring-webflux jars.

Based on the vulnerability details (, it involves ClassLoader access with the specific attack reported with a Tomcat specific ClassLoader.

Since  Adminui is deployed on Jboss Wildfly, it is not impacted by this vulnerability. 

- Symantec Access Gateway and SharePoint's agents does not use spring-webmvc and spring-webflux in any of the deployments hence not impacted. 

NOTE --> No other Siteminder components such as Policy Server nor Agents use Tomcat app server hence are not impacted by this Vulnerability