Is Control-M impacted by SpringShell/Spring4Shell vulnerability (CVE-2022-22965) or CVE-2022-22963 ?

Is Control-M impacted by SpringShell/Spring4Shell vulnerability (CVE-2022-22965) or CVE-2022-22963 ?

Knowledge Article

Article Number

000395541

Old Article Number

Article Type

FAQ/Procedural

Title

Is Control-M impacted by SpringShell/Spring4Shell vulnerability (CVE-2022-22965) or CVE-2022-22963 ?

Summary

This KA explains how Control-M products are affected by the Spring4Shell vulnerability and how to remediate the vulnerability

Product

Control-M/Enterprise Manager

Component

Applies to

Control-M all Distributed products

Question

Is Control-M impacted by SpringShell/Spring4Shell/CVE-2022-22965 / CVE-2022-22963?
Is there a mitigation/fix/hotfix for the SpringShell/Spring4Shell/CVE-2022-22965 for Control-M ?

A detailed description of the Spring4Shell vulnerability can be found here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

BMC has released the following Security Advisory about Spring4Shell. https://community.bmc.com/s/news/aA33n000000TXoRCAW/bmc-advisory-details-for-cve202222965-spring4shell-vulnerability

This Security Advisory will be updated regularly as additional information is available.

Answer

Last updated: September 27, 2022
For Helix Control-M products, refer to article 000395657

CVE-2022-22965 (Spring4Shell)

- Control-M Application Pack version 9.0.20 has been found to contain the Spring4Shell (CVE-2022-22965) vulnerability.

This is resolved in version 9.0.21
Application Pack 9.0.21.100 includes tomcat 9.0.71.

For version 9.0.20, this is resolved in patch PA1CM.9.0.20.205. See the following for details:
https://docs.bmc.com/docs/display/ctm9020/Control-M+Application+Pack+PA1CM.9.0.20.205

NOTE: Patch 205 can be applied on top of Application Pack version 9.0.20.200. Application Pack 9.0.20.200 can be deployed from any Control-M/Enterprise Manager version 9.0.20. Control-M Application Pack 9.0.20.200 files have been made available as a separate download on the Product Downloads site.

- Control-M Application Pack version 9.0.18 and 9.0.19 are not impacted by the Spring4Shell (CVE-2022-22965) vulnerability.

All supported versions of the following products are not impacted by the Spring4Shell (CVE-2022-22965) vulnerability:
- Control-M/Enterprise Manager and add-ons
- Control-M/Server
- Control-M/Agent
- Control-M Managed File Transfer
- Control-M Managed File Transfer Enterprise
- Control-M for Advanced File Transfer
- Control-D/WebAccess Server, Control-D Delivery Server, Control-D Agents
- All plugins that are not part of Control-M Application Pack

CVE-2022-22963

All supported versions of all Control-M and Control-D products are not impacted by the CVE-2022-22963 vulnerability.

Attachment(s):