Spring4Shell ZERO-day exploit CVE-2022-22965 vulnerability for Service Catalog
search cancel

Spring4Shell ZERO-day exploit CVE-2022-22965 vulnerability for Service Catalog

book

Article ID: 238534

calendar_today

Updated On:

Products

CA Service Catalog

Issue/Introduction

Two CVEs for new Spring4Shell Zero-Day Vulnerability:

CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

https://tanzu.vmware.com/security/cve-2022-22963

CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

https://tanzu.vmware.com/security/cve-2022-22965

Is Service Catalog vulnerable to the above Spring4Shell vulnerabilities?

Environment

Service Catalog 17.2 and 17.3

All Supported Operating Systems

Cause

CVE-2022-22965 

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

This vulnerability affects all versions of Spring versions listed below:

  • 5.3.0 to 5.3.17
  • 5.2.0 to 5.2.19
  • Older, unsupported versions are also affected

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Resolution

Yes, Service Catalog is indeed vulnerable, but only CVE-2022-22965 is applicable to Service Catalog.

Temporary Workaround - upgrading Service Catalog’s Tomcat to 8.5.78 version. Ignore this if the Service Catalog Tomcat version is already updated to the latest version 8.5.78 version.

1.  Download the Apache Tomcat 8.5.78 from http://archive.apache.org/dist/tomcat/tomcat-8/v8.5.78/bin and download apache-tomcat-8.5.78-windows-x86.zip

2.  Login to your CA Service Catalog server and stop the CA Service Catalog service.

3.  Double click on usm.cmd located under the USM_HOME directory (i.e. CA Service Catalog install folder).  This will launch the CA Service Catalog command prompt.

4.  Run “ant upgrade-tomcat” and provide the required details.

 Note: If Service Catalog is at version 17.3 RU13 and if ant.zip is not extracted correctly under the USM_HOME/bin/ant folder, then extract the ant.zip manually which is available under USM_HOME/bin/ant folder, before running the ant command.

5.  Restart the CA Service Catalog services.

Long Term Remediation

Service Catalog (Spring4Shell CVE-2022-22965) Hot Fix has been published and is available for download from the Broadcom Support portal.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/release-announcements/CA-Service-Catalog-iCan-View-Solutions--Patches/6348

A couple of notes:

1.  The Service Catalog (Spring4Shell CVE-2022-22965) Hot Fix has a pre-requisite of 17.3 RU13.  Details on installing RU13 can be located at: https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/ca-service-management/17-3/installing/Installing-CA-Service-Management-17-3-0-13.html

2.  As always, we recommend testing all changes in a non-production environment first and ensuring that there is a valid server(s) and MDB backup.

Note: Service Catalog 17.2 customers should consider upgrading to 17.3 to use the long-term remediation patch or apply the workaround described in this KB article as a workaround to reduce the impact of this vulnerability.

Additional Information

How to check the Tomcat version that Service Catalog is using?

Spring4Shell Vulnerabilities CVE-2022-22963 CVE-2022-22965 and CA Service Desk Manager

Spring4Shell Vulnerabilities CVE-2022-22963 CVE-2022-22965 and JasperReports Server and JasperStudio