FortiSOAR: Security Orchestration and Response software provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.
This article describes how the CVE-2022-22965 and CVE-2022-22963 vulnerabilities affect FortiSOAR as it uses the Spring Framework with JDK 11.
The CVE-2022-22965 vulnerability states that A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.FortiSOAR is affected by this vulnerability since it uses the Spring Boot framework which is dependent on the Spring framework.
Note: FortiSOAR is not vulnerable to CVE-2022-22963 as FortiSOAR does not use the Spring Cloud Function.
Scope
FortiSOAR releases 7.0.x.
Solution
Upgradedthe Spring Boot Framework to 2.5.12.
Install the fsr-cve-2022-22965-fix.zip security patch to fix this vulnerability on FortiSOAR7.0.xas follows:
1). SSH into the FortiSOAR VM and log in as a root user.
3). Extract the fsr-cve-2022-22965-fix.zip using command and go to the extracted directory: unzip fsr-cve-2022-22965-fix.zip cd fsr-cve-2022-22965-fix/
4). Run the shell script 'hotfix.sh' to apply the changes: sh hotfix.sh
Note: To fix these vulnerabilities in earlier releases of FortiSOAR, it is recommended to upgrade the firmware to 7.x.x series.
