search cancel

DX NetOps Spectrum OneClick - Spring Framework DoS vulnerabilities (CVE-2022-22970)

book

Article ID: 244033

calendar_today

Updated On:

Products

DX NetOps CA Spectrum

Issue/Introduction

The following vulnerabilities have been identified on the Spectrum OneClick servers running NetOps version 21.2.8.0.32.

=============================

CVE-2022-22970 - In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

https://nvd.nist.gov/vuln/detail/CVE-2022-22970

CVE-2022-22971 - In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.

https://nvd.nist.gov/vuln/detail/CVE-2022-22971

 

Environment

Release : 21.2

Component : DX NetOps Spectrum Vulnerabilities

Resolution

In release 21.2.12 DX NetOps Spectrum includes the following:

$SPECROOT/tomcat/lib - Spring jars of version 5.3.20

$SPECROOT/tomcat/webapps/axis2/WEB-INF/lib  -  Spring jars of version 5.3.18

Additional Information


Spring Framework Updates

NetOps 22.2.2 - 5.3.22
NetOps 21.2.12 - 5.3.20
NetOps 21.2.10 - 5.3.18