search cancel

Spring4Shell Vulnerabilities CVE-2022-22963 CVE-2022-22965 and JasperReports Server and JasperStudio

book

Article ID: 238712

calendar_today

Updated On:

Products

CA Service Desk Manager CA Service Management - Service Desk Manager

Issue/Introduction

Two new CVEs for Spring4Shell Zero-Day Vulnerability:

CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

https://tanzu.vmware.com/security/cve-2022-22963

CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

https://tanzu.vmware.com/security/cve-2022-22965

Is JasperReports Server and JasperStudio supported and used by CA Service Management vulnerable to the above two (2) Spring4Shell vulnerabilities?

Environment

JasperReports Server 7.9 and JasperStudio 7.5

Resolution

1.  JasperSoft products that do not use Spring Cloud Function and ARE NOT affected by CVE-2022-22963.  Please refer to the following Tibco document for further details - https://www.tibco.com/support/notices/spring-framework-vulnerability-update

2.  TIBCO is aware of the recently announced CVE-2022-22965 vulnerability.  JasperReports Server 7.9 and JasperStudio 7.5 supported and used by CA Service Management ARE vulnerable to the CVE-2022-22965 vulnerability. 

To remediate the Spring4Shell vulnerability in JasperReports Server 7.9, please apply the JasperReports Server 7.9 Tibco cumulative hotfix from the Broadcom Support Portal:

For Service Management 17.3: https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111465&os=WINDOWS-ALL

For Service Management 17.2: https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111466&os=WINDOWS-ALL

A couple of reminders:

1.  For Service Management 17.3, JasperReports Server 7.9 is only supported/certified on 17.3 RU10 or higher.

For information applying 17.3 RU10 or above, please refer to the following documentation link:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/ca-service-management/17-3/Release-Information/CA-Service-Management-17-3-0-10-Release-Notes.html

2. For Service Management 17.2, JasperReports Server 7.9 is only supported/certified on 17.2 RU17 or higher.

For information applying 17.2 RU17 or above, please refer to the following documentation link:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/ca-service-management/17-2/Release-Notes/CA-Service-Management-17-2-0-17-Release-Notes.html

Tibco will be updating the following page as more information becomes available for Jasper Studio 7.5 and this KB article will be updated accordingly

Java Spring Framework Vulnerability Update for Jaspersoft Products