Spring Framework Denial of Service (DoS) Vulnerability CVE 2022-22950 in Performance Management
search cancel

Spring Framework Denial of Service (DoS) Vulnerability CVE 2022-22950 in Performance Management

book

Article ID: 248154

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

Our security team hit us for the following vulnerability.

I upgraded CAPM to 22.2 and they found this vulnerability.

/opt/IMDataAggregator/broker/apache-activemq-5.16.4/lib/optional/spring-core-4.3.30.RELEASE.jar

 

 

Environment

Release : 22.2.1 and older

Component : DX NetOps Performance Management Vulnerabilities

Cause

We are currently embedding activemq-5.16.x which contains a vulnerable version of spring.

Resolution

Broadcom will embed activemq-5.17.x in a future build.

This will include spring 5.3.20+

the tentative target is to include activemq-5.17.2 in Performance Management 22.2.3 (as of sep 26, 2022)

this is subject to change.

Additional Information

This vulnerability affects data aggregator (DA) and data collectors (DC)

This vulnerability only affects the AMQ process.

DA/DC karaf already uses spring 5.3.20.

 

CVE-2022-22950

 

CVE-2022-22970

Powered by Wolken Software