Spring4Shell Vulnerabilities CVE-2022-22963 CVE-2022-22965 and CA Service Desk Manager
search cancel

Spring4Shell Vulnerabilities CVE-2022-22963 CVE-2022-22965 and CA Service Desk Manager

book

Article ID: 238615

calendar_today

Updated On:

Products

CA Service Desk Manager CA Service Management - Service Desk Manager

Issue/Introduction

Two new CVEs for Spring4Shell Zero-Day Vulnerability:

CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

https://tanzu.vmware.com/security/cve-2022-22963

CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

https://tanzu.vmware.com/security/cve-2022-22965

Is CA Service Desk Manager vulnerable to the above two (2) Spring4Shell vulnerabilities?

Environment

Service Desk Manager 17.x

All Supported Operating Systems

Resolution

Our Engineering team has looked into these recent Spring Framework vulnerabilities.

As per the Spring official document, if the product uses any of the below dependencies then it is vulnerable

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

spring-webmvc or spring-webflux 

Since CA Service Desk Manager does NOT use any of the above dependencies, then the CA Service Desk Manager application is NOT vulnerable to the recent Spring4Shell vulnerabilities listed above.

Additional Information

Note:  While SDM itself is not directly impacted by Spring4Shell vulnerabilities, removal of the jar file components is also not advised due to existing interoperability with such components.

Spring4Shell Vulnerabilities CVE-2022-22963 CVE-2022-22965 and JasperReports Server and JasperStudio

Spring4Shell ZERO-day exploit CVE-2022-22963 and CVE-2022-22965 vulnerability for Service Catalog

Powered by Wolken Software