This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Spring4Shell vulnerability not applicable to ZSD

Upon analysis, we have determined that Spring4Shell vulnerability (CVE-2022-22963 & CVE-2022-22965) is not applicable to ZENworks Service Desk.

Upon analysis, we have determined that this critical 0-day vulnerability "Spring4Shell" (CVE-2022-22963 & CVE-2022-22965) is not applicable any of the ZENworks products.

TID KM000005089

CVE-2022-22963 is applicable only if Spring Cloud Function is consumed.
ZENworks products do not consume it.

CVE-2022-22965 can be exploited only if the code using Spring Beans runs on Java version 9 and above, and has at least one endpoint that maps parameters to an object using either query parameters in a GET method or a POST method using application/x-www-form-urlencoded. This vulnerability is NOT exploitable for objects that are deserialized from JSON or other standard mechanisms.
Since the above pre-requisites are not met, ZENworks products are not vulnerable.

Paul Pedron