CVE-2022-42889 - Service Management
search cancel

CVE-2022-42889 - Service Management

book

Article ID: 252467

calendar_today

Updated On:

Products

CA Service Catalog CA Business Service Insight CA Service Management - Service Desk Manager CA Service Management - Asset Portfolio Management CA Service Desk Manager CA Service Desk Manager - Xtraction CA IT Asset Manager CA IT Asset Manager Asset Portfolio Management CA Process Automation Base

Issue/Introduction

CVE-2022-42889 was published in the National Vulnerability Database on 13 October, 2022.  More information can be found here.

The vulnerability is caused with the use of Apache Commons Text 1.5 through 1.9.  

Are the Service Management products vulnerable?

Environment

CA Service Management

All Supported Operating Systems

Resolution

1.  CA Service Catalog

CA Service Catalog does not use Apache Commons Text library.  In addition, there is no reference to the 'StringSubstitutor' API in the CA Service Catalog code base. 

Therefore CA Service Catalog is NOT vulnerable to CVE-2022-42889

2.  CA Service Desk Manager (SDM)

CA Service Desk Manager is not vulnerable to CVE-2022-42889.

However, the xFlow module in 17.3 RU17 is vulnerable to CVE-2022-42889.  xFlow is NOT vulnerable for previous RU levels.

If you have CA Service Management 17.3.0.17 installed, the CVE-2022-42889 vulnerability is fixed in CA Service Management 17.3.0.18.  Documentation on installing RU18 can be located at https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/ca-service-management/17-3/installing/Installing-CA-Service-Management-17-3-0-18.html

Alternatively, for xFlow, you can follow the below steps to remediate the vulnerability:

a.  Stop the xFlow services
b.  Remove the following files from the xFlow installation directory

xFlow\APPS\Services\collabmicroservice-xxxx\lib\org.apache.commons.commons-text-1.7.jar 
xFlow\APPS\Services\incidentmicroservice-xxxx\lib\org.apache.commons.commons-text-1.7.jar 
xFlow\APPS\Services\insightmicroservice-xxxx\lib\org.apache.commons.commons-text-1.7.jar 
xFlow\APPS\Services\pushmicroservice-xxxx\lib\org.apache.commons.commons-text-1.7.jar 
xFlow\APPS\Services\searchmicroservice-xxxx\lib\org.apache.commons.commons-text-1.7.jar 

c.  Restart xFlow services

3.  CA IT Asset Manager (ITAM)

CA IT Asset Manager does not use Apache Commons Text library.  In addition, there is no reference to the 'StringSubstitutor' API in the CA IT Asset Manager code base. 

Therefore CA IT Asset Manager is NOT vulnerable to CVE-2022-42889

4. Business Service Insight (BSI)

Business Service Insight does not use Apache Commons Text library.  In addition, there is no reference to the 'StringSubstitutor' API in the Business Service Insight code base. 

Therefore Business Service Insight is NOT vulnerable to CVE-2022-42889

5. IT Process Automation (ITPAM)

IT Process Automation does not use Apache Commons Text library.  In addition, there is no reference to the 'StringSubstitutor' API in the IT Process Automation code base.  Default PAM installations do not deploy or deliver any jar files that are related to this defect.

Therefore IT Process Automation is NOT vulnerable to CVE-2022-42889

Additional Information

CVE-2022-42889 - JasperSoft Server 7.9

Powered by Wolken Software