TIBCO Patterns-Search: Mitigation for CVE-2022-22963, CVE-2022-22965 (Spring4Shell)
Article ID: KB0107971
Updated On:
| Products | Versions |
|---|---|
| TIBCO Patterns | 5.5.0, 5.6.0 |
Description
TIBCO is aware of the recently announced Java Spring Framework vulnerabilities (CVE-2022-22963, CVE-2022-22965), with one of them being referred to as “Spring4Shell”.
These vulnerabilities potentially enable an attacker to execute arbitrary code by taking advantage of poor data bindings and/or malicious expression language statements.
TIBCO is actively monitoring the still evolving situation and updates with regards to the Java Spring Framework and our Product Security Incident Response Team (PSIRT) is actively evaluating how this vulnerability may affect TIBCO products and cloud services.
TIBCO continues to make the investigation and remediation of this vulnerability its top priority. We will provide updates for the TIBCO Patterns-Search via this article if more information becomes available. Please contact TIBCO Support with any questions.
Issue/Introduction
Environment
Resolution
Instructions for patching the Spring™ Framework in TIBCO Patterns-Search 5.5 and 5.6
Prerequisites
- Download spring-5.2.20.RELEASE-dist.zip(https://repo.spring.io/ui/native/release/org/springframework/spring/5.2.20.RELEASE/spring-5.2.20.RELEASE-dist.zip) to TIBCO_HOME/tps/5.x/patterns_gui/
- Unzip it. Locate the libs sub-folder, which should contain several .jar files
Steps :
1. Stop the Apache Tomcat service:On the command line, change directory to TIBCO_HOME/tps/5.x/patterns_gui
Windows: bin/pws.bat -stopTomcat
Linux: bin\pws.sh –stopTomcat
2. Back up the Tomcat directory
Use your organization’s approved backup methods, or simply make a copy of the entire Tomcat folder.
3. Remove the 5.2.0 Spring-framework libraries.
Preferably by moving them to another folder.
From TIBCO_HOME/tps/5.x/patterns_gui/tomcat/webapps/patterns/WEB-INF/lib, remove these ten (10) files
spring-aop-5.2.0.RELEASE.jar
spring-beans-5.2.0.RELEASE.jar
spring-context-5.2.0.RELEASE.jar
spring-core-5.2.0.RELEASE.jar
spring-expression-5.2.0.RELEASE.jar
spring-jcl-5.2.0.RELEASE.jar
spring-jdbc-5.2.0.RELEASE.jar
spring-test-5.2.0.RELEASE.jar
spring-web-5.2.0.RELEASE.jar
spring-webmvc-5.2.0.RELEASE.jar
From TIBCO_HOME/tps/5.x/patterns_gui/tomcat/webapps/pws/WEB-INF/lib, remove these nine (9) files
spring-aop-5.2.0.RELEASE.jar
spring-beans-5.2.0.RELEASE.jar
spring-context-5.2.0.RELEASE.jar
spring-core-5.2.0.RELEASE.jar
spring-expression-5.2.0.RELEASE.jar
spring-jcl-5.2.0.RELEASE.jar
spring-oxm-5.2.0.RELEASE.jar
spring-web-5.2.0.RELEASE.jar
spring-webmvc-5.2.0.RELEASE.jar
4. Install the Spring Framework 5.2.20 libraries
Change the directory into the libs subfolder of the unzipped directory (see the prerequisites).
Copy these ten (10) jars to TIBCO_HOME/tps/5.x/patterns_gui/tomcat/webapps/patterns/WEB-INF/libs
spring-aop-5.2.20.RELEASE.jar
spring-beans-5.2.20.RELEASE.jar
spring-context-5.2.20.RELEASE.jar
spring-core-5.2.20.RELEASE.jar
spring-expression-5.2.20.RELEASE.jar
spring-jcl-5.2.20.RELEASE.jar
spring-jdbc-5.2.20.RELEASE.jar
spring-test-5.2.20.RELEASE.jar
spring-web-5.2.20.RELEASE.jar
spring-webmvc-5.2.20.RELEASE.jar
Copy these nine (9) jars to TIBCO_HOME/tps/5.x/patterns_gui/tomcat/webapps/pws/WEB-INF/libs
spring-aop-5.2.20.RELEASE.jar
spring-beans-5.2.20.RELEASE.jar
spring-context-5.2.20.RELEASE.jar
spring-core-5.2.20.RELEASE.jar
spring-expression-5.2.20.RELEASE.jar
spring-jcl-5.2.20.RELEASE.jar
spring-oxm-5.2.20.RELEASE.jar
spring-web-5.2.20.RELEASE.jar
spring-webmvc-5.2.20.RELEASE.jar
5. Restart the Tomcat service
On the command line, change directory to TIBCO_HOME/tps/5.x/patterns_gui
Windows: bin/pws.bat -startTomcat
Linux: bin\pws.sh –startTomcat
Uninstalling the patch
The patch can be uninstalled as follows:
- Stop the Tomcat server
- Remove the 5.2.20 jar files
- Restore the 5.2.0 jar files
- Start the Tomcat server
Additional Information
TIBCO's Spring Framework Vulnerability Update
Feedback
