Is there any impact from the CVE-2022-22965 vulnerability on any of the Broadcom Siteminder components ?
CVE-2022-22965 --> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
Release : 12.8.x
Component : SITEMINDER -POLICY SERVER
- From the CVE details, these are the prerequisites for the exploit:
- Symantec Siteminder AdminUI comes with spring-webmvc or spring-webflux jars.
Based on the vulnerability details (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-22965), it involves ClassLoader access with the specific attack reported with a Tomcat specific ClassLoader.
Since Adminui is deployed on Jboss Wildfly, it is not impacted by this vulnerability.
- Symantec Access Gateway and SharePoint's agents does not use spring-webmvc and spring-webflux in any of the deployments hence not impacted.
NOTE --> No other Siteminder components such as Policy Server nor Agents use Tomcat app server hence are not impacted by this Vulnerability