Spring4Shell is not applicable to the ZENworks products

1 Likes

Upon analysis, we have determined that this critical 0-day vulnerability "Spring4Shell" (CVE-2022-22963 & CVE-2022-22965) is not applicable any of the ZENworks products.

TID KM000005089

CVE-2022-22963 is applicable only if Spring Cloud Function is consumed.
ZENworks products do not consume it.

CVE-2022-22965 can be exploited only if the code using Spring Beans runs on Java version 9 and above, and has at least one endpoint that maps parameters to an object using either query parameters in a GET method or a POST method using application/x-www-form-urlencoded. This vulnerability is NOT exploitable for objects that are deserialized from JSON or other standard mechanisms.
Since the above pre-requisites are not met, ZENworks products are not vulnerable.

Labels:

Announcement
Configuration Management
Desktop Containers
Service Desk
Comment List
Related
Recommended