CVE-2022-22965 has been determined to impact TKGI via the UAA component it ships. 

[ Update April 6th, 2022 ]

• The article has been updated to use a new UAA version v74.5.37  to fix CVE-2022-22965
• Earlier instructions in the article pointed to using the UAA v74.5.36. It was later discovered that Spring framework dependencies in UAA were not updated
• Changes have been made to this article to reflect that and the recommendation is to use UAA v74.5.37

• TKGI version 1.11.10 was released with the fix for this CVE on April 12th, 2022.
• The KB we will be updated as more TKGI releases adopt this fix

• TKGI version 1.11.10 was released with the fix for this CVE on April 12th, 2022.
• The KB we will be updated as more TKGI releases adopt this fix

[ Update April 6th, 2022 ]

• The article has been updated to use a new UAA version v74.5.37  to fix CVE-2022-22965
• Earlier instructions in the article pointed to using the UAA v74.5.36. It was later discovered that Spring framework dependencies in UAA were not updated
• Changes have been made to this article to reflect that and the recommendation is to use UAA v74.5.37

• TKGI version 1.11.10 was released with the fix for this CVE on April 12th, 2022.
• The KB we will be updated as more TKGI releases adopt this fix

The workarounds described in this document are meant to be a temporary solution only.  TKGI will have new patch releases to include the updated patched UAA release.

• SSH into the Ops Manager VM. For more information, refer to Logging Into Ops Manager VMs with SSH.
• Download the patched UAA BOSH releases to the Ops Manager VM. 
• For TKGI 1.10.x ~ 1.13.x, please use below UAA version (TKGI 1.7.x and 1.9.x can use same version but not validated): 

sudo -u tempest-web wget -P /var/tempest/releases/ https://uaa-release-tarballs.s3.us-west-1.amazonaws.com/releases/uaa-release-74.5.37-rc.5.tgz

• Find the file paths of the YAML files that define all the versions of the TKGI tile. You want the .yml file from the following command It should look something like:

/var/tempest/workspaces/default/metadata/6d07d2051b44.yml
/var/tempest/workspaces/default/metadata/product-template20211113-824-1eunm3e.yml

sudo grep -l "^name: pivotal-container-service" /var/tempest/workspaces/default/metadata/*

• Confirm the version of TKGI you’re using with the following command on each full file path;
  • If there’s more than one file returned by the above, run it on each to identify the version that you have currently deployed, which you’ll need to edit in next steps 

sudo head FULL-FILE-PATH-FROM-ABOVE-OUTPUT

• Make a backup of this YAML file, into your home directory. You can restore this backup over the file you’re about to edit in order to revert the workaround if needed later. 

sudo cp FULL-FILE-PATH-FROM-ABOVE-OUTPUT ~ubuntu/

• Edit the YAML file (using “sudo editor-of-choice”, such as “emacs”, “vi”, or “nano”) to replace the relevant release sections for UAA release.
  
  EXAMPLE OF OLD UAA SECTION
  - name: uaa
  version: 74.5.29
  file: uaa-74.5.29-ubuntu-xenial-621.183.tgz
  exported_from:             <-- make sure remove this line
  - os: ubuntu-xenial        <-- make sure remove this line
    version: '621.183'       <-- make sure remove this line
  
  EXAMPLE OF AFTER UPDATE
  - name: uaa
  version: 74.5.37-rc.5
  file: uaa-release-74.5.37-rc.5.tgz

1. Apply Changes to the TKGI Tile! 
   When you review pending changes for the TKGI tile, it should look something like this: 
   
   
   
   Note: If you see an error like “Packages must be exported from stemcell 'ubuntu-xenial/621.183', but some packages are not compiled for this stemcell”, then you likely forgot to remove the "exported_from" block from a previous step. You can fix that and try again. 
   
   Your UAA are now patched. They will remain patched, even if VM resurrection takes place, you upgrade the stemcell, or you reconfigure the tile. If you upgrade the TKGI tile to a new version this mitigation will be lost and may need to be reapplied.