ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Spring4Shell Vulnerabilities CVE-2022-22963 CVE-2022-22965 and CA Service Desk Manager

book

Article ID: 238615

calendar_today

Updated On:

Products

CA Service Desk Manager

Issue/Introduction

Two new CVEs for Spring4Shell Zero-Day Vulnerability:

CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

https://tanzu.vmware.com/security/cve-2022-22963

CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

https://tanzu.vmware.com/security/cve-2022-22965

Is CA Service Desk Manager vulnerable to the above two (2) Spring4Shell vulnerabilities?

Environment

Service Desk Manager 17.x

All Supported Operating Systems

Resolution

Our Engineering team has looked into these recent Spring Framework vulnerabilities.

As per the Spring official document, if the product uses any of the below dependencies then it is vulnerable

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

spring-webmvc or spring-webflux 

Since CA Service Desk Manager does NOT use any of the above dependencies, then the CA Service Desk Manager application is NOT vulnerable to the recent Spring4Shell vulnerabilities listed above.

Additional Information

Spring4Shell Vulnerabilities CVE-2022-22963 CVE-2022-22965 and JasperReports Server and JasperStudio

Spring4Shell ZERO-day exploit CVE-2022-22963 and CVE-2022-22965 vulnerability for Service Catalog