ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

CVE-2022-22965 - Spring4Shell Vulnerability and Broadcom's Response

book

Article ID: 239011

calendar_today

Updated On:

Products

CA Agile Requirements Designer CA Automic Workload Automation - Automation Engine CA Automic One Automation Continuous Delivery Director Continuous Delivery Director SAAS DX OI SaaS DX Operational Intelligence CA Mediation Manager DX NetOps CA Agile Central On Premise (Rally) CA Agile Central SaaS (Rally) Rally Perpetual Hosted CA Service Catalog CA Harvest Software Change Manager CA Harvest Software Change Manager - OpenMake Meister Clarity PPM SaaS Clarity PPM On Premise CA Workload Automation iXP CA App Synthetic Monitor CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager CA Service Desk Manager CA Service Desk Manager - Xtraction CA Business Service Insight CA IT Asset Manager CA IT Asset Manager Asset Portfolio Management

Issue/Introduction

Broadcom security and engineering teams are reviewing our information technology environment and product portfolio to identify and remediate any potential exposures to the recently disclosed critical vulnerability in applications using the VMware Spring Framework.

According to a vulnerability report released by VMware on March 31, 2022, a Spring Framework application running on Java Development Kit version 9 or later may be vulnerable to remote code execution attacks and follow-on exploitation under certain conditions. This vulnerability has been assigned CVE-2022-22965 and is known as “Spring4Shell.”

Resolution

Corporate Infrastructure and Services: Broadcom’s Global Technology Organization is conducting software asset reviews to identify any potentially affected applications. Any necessary mitigations, including upgrades to patched versions of the Spring Framework, will be implemented in accordance with vendor recommendations. At this time, we have no indication of compromise related to this vulnerability. 

Broadcom Products: Engineers from our product teams are assessing all software that incorporates any version of the vulnerable Spring Framework. More specific information (e.g., information about necessary patches/hotfixes, workarounds, or other required customer actions) is available within the following security advisories from our product divisions, which are regularly updated:

Additional Information

For additional expert insights into the threats posed by the Spring4Shell vulnerability -- including information about how our Symantec security products can mitigate exposure to these threats -- please visit the Symantec Threat Intelligence blog. 

As a founding member of the U.S. Department of Homeland Security's Joint Cyber Defense Collaborative, Broadcom Software partners with the Cybersecurity and Infrastructure Security Agency (CISA) and other industry leaders to share actionable intelligence and insights into exploitation activities relating to this and other critical security vulnerabilities.

Reference - Broadcom Response to Spring4Shell Vulnerability