ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

CVE-2022-22965 Impact on Siteminder components

book

Article ID: 238601

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

Is there any impact from the CVE-2022-22965 vulnerability on any of the Broadcom Siteminder components ? 

CVE-2022-22965 --> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965

 

 

Environment

Release : 12.8.x

Component : SITEMINDER -POLICY SERVER

Resolution

- From the CVE details, these are the prerequisites for the exploit:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

 

- Symantec Siteminder AdminUI comes with spring-webmvc or spring-webflux jars.

Based on the vulnerability details (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-22965), it involves ClassLoader access with the specific attack reported with a Tomcat specific ClassLoader.

Since  Adminui is deployed on Jboss Wildfly, it is not impacted by this vulnerability. 

- Symantec Access Gateway and SharePoint's agents does not use spring-webmvc and spring-webflux in any of the deployments hence not impacted. 

NOTE --> No other Siteminder components such as Policy Server nor Agents use Tomcat app server hence are not impacted by this Vulnerability