Fix available for the Spring4Shell security vulnerability CVE-2022-22965

BMC Software is alerting users to the SpringShell or Spring4Shell vulnerability that requires immediate attention in TrueSight Smart Reporting - Platform.

A zero-day exploit for the vulnerability CVE-2022-22965 (code named Spring Shell or Spring4Shell) was publicly released on March 30, 2022.

Related Topics

Flashes

Known-and-corrected-issues

A detailed description of the vulnerability can be found on the Spring Framework RCE, Early Announcement page.

Please follow the BMC Security Advisory Note for further updates.

If you have any questions about the problem, contact BMC Support

We recommend that you immediately apply the fix as described in this topic.

Issue

CVSS v3 rating

Description

9.8

SpringShell or Spring4Shell security vulnerability (CVE-2022-22965).


Resolution

To mitigate the vulnerability, perform the following steps:

  1. Make sure that you have installed the TrueSightSmartReporting_HotFix_20.02.02.004 hotfix. For more information, see Fix-available-for-Apache-Log4j-vulnerability-CVE-2021-44832.

  2. Click here to download the TrueSightSmartReporting_HotFix_20.02.02.005.zip file.

  3. Copy the file to the server where TrueSight Smart Reporting - Platform is installed and extract its contents.
  4. Stop the TrueSightSmartReporting service.
  5. Navigate to the <install_location>/appserver/webapps/ROOT/WEB-INF/lib directory.
  6. Take a backup of the vulnerable Spring dependencies libraries that match spring-*.jar outside the installation directory and then delete them.
  7. Unzip the Spring_New.zip file in a temporary location.
  8. Copy the new Spring dependencies into the <install_location>/appserver/webapps/ROOT/WEB-INF/lib directory.
  9. Navigate to the <install_location>/appserver/webapps/ROOT/WEB-INF/lib directory.
  10. Take a backup of following files outside the installation directory, and then delete them:
    • tsr_provider.jar
    • tsr-utility.jar
  11. From the TrueSightSmartReporting_HotFix_20.02.02.005.zip file that you extracted, copy the following files:
    • tsr_provider.jar
    • tsr-utility.jar 
  12. Paste them in the <install_location>/appserver/webapps/ROOT/WEB-INF/lib directory.
  13. Navigate to the <install_location>/appserver/webapps directory.
  14. Take a backup of following files outside the installation directory, and then delete them:
    • ROOT.war
    • tsr.war
  15. From the TrueSightSmartReporting_HotFix_20.02.02.005.zip file that you extracted, copy the tsr.war file.
  16. Paste it in the <install_location>/appserver/webapps directory.
  17. Start the TrueSightSmartReporting service.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*