Two new CVEs for Spring4Shell Zero-Day Vulnerability:
CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression
https://tanzu.vmware.com/security/cve-2022-22963
CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
https://tanzu.vmware.com/security/cve-2022-22965
Is JasperReports Server and JasperStudio supported and used by CA Service Management vulnerable to the above two (2) Spring4Shell vulnerabilities?
JasperReports Server 7.9 and JasperStudio 7.5
1. JasperSoft products that do not use Spring Cloud Function and ARE NOT affected by CVE-2022-22963. Please refer to the following Tibco document for further details - https://www.tibco.com/support/notices/spring-framework-vulnerability-update
2. TIBCO is aware of the recently announced CVE-2022-22965 vulnerability. JasperReports Server 7.9 and JasperStudio 7.5 supported and used by CA Service Management ARE vulnerable to the CVE-2022-22965 vulnerability.
To remediate the Spring4Shell vulnerability in JasperReports Server 7.9, please apply the JasperReports Server 7.9 Tibco cumulative hotfix from the Broadcom Support Portal:
For Service Management 17.3: https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111465&os=WINDOWS-ALL
For Service Management 17.2: https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111466&os=WINDOWS-ALL
A couple of reminders:
1. For Service Management 17.3, JasperReports Server 7.9 is only supported/certified on 17.3 RU10 or higher.
For information applying 17.3 RU10 or above, please refer to the following documentation link:
2. For Service Management 17.2, JasperReports Server 7.9 is only supported/certified on 17.2 RU17 or higher.
For information applying 17.2 RU17 or above, please refer to the following documentation link:
Tibco will be updating the following page as more information becomes available for Jasper Studio 7.5 and this KB article will be updated accordingly
Java Spring Framework Vulnerability Update for Jaspersoft Products