search cancel

Performance Management Spring Framework CVE-2022-22970 and CVE2022-22971

book

Article ID: 243919

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

DX NetOps Performance Management Portal web server vulnerabilities related to the Spring Framework vulnerabilities

DX NetOps Performance Management Data Aggregator vulnerabilities related to the Spring Framework vulnerabilities

DX NetOps Performance Management Data Collector vulnerabilities related to the Spring Framework vulnerabilities

Vulnerability Information is found by securitAy scans in the following files.

  • Portal web server:
    • /opt/CA/PerformanceCenter/PC/webapps/pc/WEB-INF/lib/spring-core-5.3.9.jar
    • /opt/CA/PerformanceCenter/DM/webapps/dm/WEB-INF/lib/spring-core-5.3.9.jar
    • /opt/CA/PerformanceCenter/sso/webapps/sso/WEB-INF/lib/spring-core-5.3.9.jar
    • /opt/CA/PerformanceCenter/EM/webapps/EventManager/WEB-INF/lib/spring-core-5.3.9.jar
  • Data Aggregator and Data Collector:
    • /opt/IMDataCollector/IMDataCollector/backup/apache-activemq/lib/optional/spring-core-4.3.30.RELEASE.jar
    • /opt/IMDataCollector/IMDataCollector/broker/apache-activemq-5.16.4/lib/optional/spring-core-4.3.30.RELEASE.jar
    • /opt/IMDataCollector/IMDataCollector/broker/apache-activemq-5.16.4/lib/optional/spring-core-4.3.30.RELEASE.jar

CVE-2022-22970 CVE-2022-22971
Vendor Reference: Spring Framework Advisory 70, Spring Framework Advisory 71
THREAT: The vulnerability exists in the Spring Framework, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
Vulnerable Versions: Spring framework versions 5.3.0 to 5.3.19, 5.2.0 to 5.2.21, and older are vulnerable.
QID Detection: (Authenticated) - LinuxDetection logic executes locate -b -e -r '^spring\-core.*\.jar$' command, ls -l /proc/*/fd | grep -Eo '\S+\/spring\S+jar' | uniq 2> /dev/null and checks if the spring-core-*.jar present on the system.
QID Detection: (Authenticated) - Windows On Windows system, the QID identifies the vulnerable instances of Spring via WMI to check spring-core is included in the running processes via command-line

Environment

All supported DX NetOps Performance Management Portal web server releases 21.2.11 and earlier

All supported DX NetOps Performance Management Data Aggregator and Data Collector releases 22.2.2 and earlier

 

Resolution

These are remediated by upgrading to 22.2.3 or newer releases of DX NetOps Performance Management.

  • Portal web server hosts:
    • Starting with release 21.2.12 the NetOps Portal web server host runs Spring framework versions 5.3.22+.
  • Data Aggregator (DA) and Data Collector (DC):
    • Starting with release 22.2.3 the DA and DC run Spring framework versions 5.3.20+.

Upgrade to 22.2.3 or newer to remediate these vulnerabilities.

Additional Information

CVE-2022-22970: In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.

CVE-2022-22971" In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.