Spring4Shell Vulnerabilities CVE-2022-22963 CVE-2022-22965 and CA Service Desk Manager
search cancel

Spring4Shell Vulnerabilities CVE-2022-22963 CVE-2022-22965 and CA Service Desk Manager


Article ID: 238615


Updated On:


CA Service Desk Manager CA Service Management - Service Desk Manager


Two new CVEs for Spring4Shell Zero-Day Vulnerability:

CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression


CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+


Is CA Service Desk Manager vulnerable to the above two (2) Spring4Shell vulnerabilities?


Service Desk Manager 17.x

All Supported Operating Systems


Our Engineering team has looked into these recent Spring Framework vulnerabilities.

As per the Spring official document, if the product uses any of the below dependencies then it is vulnerable


spring-webmvc or spring-webflux 

Since CA Service Desk Manager does NOT use any of the above dependencies, then the CA Service Desk Manager application is NOT vulnerable to the recent Spring4Shell vulnerabilities listed above.

Additional Information

Note:  While SDM itself is not directly impacted by Spring4Shell vulnerabilities, removal of the jar file components is also not advised due to existing interoperability with such components.

Spring4Shell Vulnerabilities CVE-2022-22963 CVE-2022-22965 and JasperReports Server and JasperStudio

Spring4Shell ZERO-day exploit CVE-2022-22963 and CVE-2022-22965 vulnerability for Service Catalog