IBM Support

Is IBM Workload Scheduler or IBM Workload Scheduler for z/OS susceptible to the CVE-2022-22965 (Spring4Shell) vulnerability?

Question & Answer


Question

Security vulnerabilities have been recently identified regarding Spring Framework. These are very critical, known as CVE-2022-22965 and CVE-2022-22963. 
 
Is IBM Workload Scheduler susceptible to these vulnerabilities?

Answer

IBM Workload Scheduler is not vulnerable to Spring4Shell vulnerabilities, and this is true for IWS for Distributed and IWS for z/OS.
Affected "Spring" jar files are not installed with the product in v10 and moreover IWS 9.x releases are also running JDK versions that don't allow the exploit (JDK 7 and 8). 

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSGSPN","label":"IBM Workload Scheduler"},"ARM Category":[{"code":"a8m50000000KzZHAA0","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Product Synonym

TWS;TWA;IWA;IWS;IWSd;IWSz

Document Information

Modified date:
04 April 2022

UID

ibm16569215