Is Control-M impacted by SpringShell/Spring4Shell vulnerability (CVE-2022-22965) or CVE-2022-22963 ?

Manage Support IDs

Use checkboxes to 'Remove support IDs/Users' or 'Allow to create Cases'
Support IDs for BMC Customer Support Site Guest User
Profiles Which Include    Back to All Support IDs
 

Knowledge Article

Is Control-M impacted by SpringShell/Spring4Shell vulnerability (CVE-2022-22965) or CVE-2022-22963 ?
This KA explains how Control-M products are affected by the Spring4Shell vulnerability and how to remediate the vulnerability
Control-M/Enterprise Manager
Control-M all Distributed products
Control-M/Enterprise Manager
Control-M all Distributed products
Is Control-M impacted by SpringShell/Spring4Shell/CVE-2022-22965 / CVE-2022-22963?
Is there a mitigation/fix/hotfix for the SpringShell/Spring4Shell/CVE-2022-22965 for Control-M ?
 
A detailed description of the Spring4Shell vulnerability can be found here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
 
BMC has released the following Security Advisory about Spring4Shell. https://community.bmc.com/s/news/aA33n000000TXoRCAW/bmc-advisory-details-for-cve202222965-spring4shell-vulnerability
 
This Security Advisory will be updated regularly as additional information is available.
Last updated: September 27, 2022
For Helix Control-M products, refer to article 000395657
 

CVE-2022-22965 (Spring4Shell)

- Control-M Application Pack version 9.0.20 has been found to contain the Spring4Shell (CVE-2022-22965) vulnerability.
This is resolved in version 9.0.21
For version 9.0.20, this is resolved in patch PA1CM.9.0.20.205.  See the following for details:
https://docs.bmc.com/docs/display/ctm9020/Control-M+Application+Pack+PA1CM.9.0.20.205

NOTE:  Patch 205 can be applied on top of Application Pack version 9.0.20.200.  Application Pack 9.0.20.200 can be deployed from any Control-M/Enterprise Manager version 9.0.20. Control-M Application Pack 9.0.20.200 files have been made available as a separate download on the Product Downloads site.

- Control-M Application Pack version 9.0.18 and 9.0.19 are not impacted by the Spring4Shell (CVE-2022-22965) vulnerability.

All supported versions of the following products are not impacted by the Spring4Shell (CVE-2022-22965) vulnerability:
- Control-M/Enterprise Manager and add-ons
- Control-M/Server
- Control-M/Agent
- Control-M Managed File Transfer
- Control-M Managed File Transfer Enterprise
- Control-M for Advanced File Transfer
- Control-D/WebAccess Server, Control-D Delivery Server, Control-D Agents
- All plugins that are not part of Control-M Application Pack

CVE-2022-22963

All supported versions of all Control-M and Control-D products are not impacted by the CVE-2022-22963 vulnerability.
Control-M/Enterprise Manager
Control-M all Distributed products
Attachment(s):