Spring4Shell Vulnerabilities CVE-2022-22963 CVE-2022-22965 and JasperReports Server and JasperStudio
search cancel

Spring4Shell Vulnerabilities CVE-2022-22963 CVE-2022-22965 and JasperReports Server and JasperStudio

book

Article ID: 238712

calendar_today

Updated On:

Products

CA Service Desk Manager CA Service Management - Service Desk Manager

Issue/Introduction

Two new CVEs for Spring4Shell Zero-Day Vulnerability:

CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

Is JasperReports Server and JasperStudio supported and used by CA Service Management vulnerable to the above two (2) Spring4Shell vulnerabilities?

Environment

JasperReports Server 7.9 and JasperStudio 7.5

Resolution

1.  JasperSoft products that do not use Spring Cloud Function and ARE NOT affected by CVE-2022-22963.

2.  TIBCO is aware of the recently announced CVE-2022-22965 vulnerability.  JasperReports Server 7.9 and JasperStudio 7.5 supported and used by CA Service Management ARE vulnerable to the CVE-2022-22965 vulnerability. 

To remediate the Spring4Shell vulnerability in JasperReports Server 7.9, please apply the JasperReports Server 7.9 Tibco cumulative hotfix from the Broadcom Support Portal:

For Service Management 17.3

For Service Management 17.2

A couple of reminders:

1.  For Service Management 17.3, JasperReports Server 7.9 is only supported/certified on 17.3 RU10 or higher.

Information applying 17.3 RU10

2. For Service Management 17.2, JasperReports Server 7.9 is only supported/certified on 17.2 RU17 or higher.

Information applying 17.2 RU17

Tibco will be updating the following page as more information becomes available for Jasper Studio 7.5

Powered by Wolken Software