search cancel

spring framework vulnerabilities CVE-2022-22970 and CVE-2022-22971 for AutoSys/WCC

book

Article ID: 257164

calendar_today

Updated On:

Products

CA Workload Automation AE

Issue/Introduction

Comment on the following spring framework vulnerabilities
CVE-2022-22971     
CVE-2022-22970

 

 

Environment

Release : 12.0

Resolution

Per our WCC sustaining eng. team WCC is not impacted by the below vulnerabilities
===
Vulnerability Details : CVE-2022-22971
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.

  - WCC doesn't use Stomp protocol or any websocket communication

Vulnerability Details : CVE-2022-22970
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

  - WCC doesn't use databinding of model to html/jsp for a multipart or servlet part
===


If your security team will not allow an exception for the existance of the files at their current version then your option forward would be to upgrade to WCC 12.1 as that version of wcc ships with version 5.3.22 of the *spring* files in question.