Two new CVEs for Spring4Shell Zero-Day Vulnerability:
CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression
CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
Is CA Service Desk Manager vulnerable to the above two (2) Spring4Shell vulnerabilities?
Service Desk Manager 17.x
All Supported Operating Systems
Our Engineering team has looked into these recent Spring Framework vulnerabilities.
As per the Spring official document, if the product uses any of the below dependencies then it is vulnerable
spring-webmvc or spring-webflux
Since CA Service Desk Manager does NOT use any of the above dependencies, then the CA Service Desk Manager application is NOT vulnerable to the recent Spring4Shell vulnerabilities listed above.
Note: While SDM itself is not directly impacted by Spring4Shell vulnerabilities, removal of the jar file components is also not advised due to existing interoperability with such components.