Vulnerabitlity CVE-2022-22965 found in spring-core-4.0.6.RELEASE.jar

search cancel

Vulnerabitlity CVE-2022-22965 found in spring-core-4.0.6.RELEASE.jar

book

Article ID: 279344

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio) CA Release Automation - DataManagement Server (Nolio)

Issue/Introduction

During a security scan the vulnerability CVE-2022-22965 has been detected on the agents :

https://nvd.nist.gov/vuln/detail/CVE-2022-22965

Path : /opt/ReleaseAutomationAgent/actionslib/spring-core-4.0.6.RELEASE.jar
Installed version : 4.0.6.RELEASE
Fixed version : 5.2.20

Environment

Release Automation 6.7

Resolution

According to this article : https://knowledge.broadcom.com/external/article?articleId=238520

Release Automation has not the prerequisites for exploiting the vulnerability CVE-2022-22965

Moreover starting version 6.8, a new version of spring-core is delivered : spring-core-5.3.21.jar

In this version the vulnerability is fixed.

So the solution is to upgrade the NAC and NES servers to version 6.8.0 and delete the files spring*4.0.6.*.jar in <ra_home>/actionslib directory on NAC and NES :

cd <ra_home>/actionslib

rm spring*4.0.6.*.jar

And then upgrade agents to version 6.8.0

Then when actions are sent to agents, the actionslib directory will be synchronized and the file spring-core-4.0.6.RELEASE.jar will be removed.

Feedback

thumb_up Yes

thumb_down No