CVE-2022-22950 Mitigation

This medium vulnerability in the VMware Spring dependency affects only an optional component of Tamr Core called the Data Movement Service (DMS). This component is disabled by default and optionally can be enabled.

You can confirm that the DMS is disabled by running this script as the functional user:
./tamr/utils/unify-admin.sh config:get APPS_DMS_ENABLED

  • If this script returns APPS_DMS_ENABLED: false, then DMS is currently disabled. Optionally, you can remove the DMS .jar file from your system if you do not anticipate future use of DMS for the deployment.
  • If this script returns APPS_DMS_ENABLED: true, you can disable DMS and then optionally remove the DMS .jar file.

Procedures follow.

To disable DMS:

  1. Stop Tamr Core and its dependencies:
    ./tamr/stop-unify.sh
    ./tamr/stop-dependencies.sh
  2. Modify the configuration setting:
    ./tamr/start-zk.sh
    ./tamr/utils/unify-admin.sh config:set APPS_DMS_ENABLED=false
  3. Restart Tamr Core and its dependencies:
    ./tamr/start-dependencies.sh
    ./tamr/start-unify.sh

Optionally, you can now remove the DMS .jar file if you do not anticipate future use of DMS for the deployment.

To delete the DMS jar file:

  1. Stop Tamr Core and its dependencies:
    ./tamr/stop-unify.sh
    ./tamr/stop-dependencies.sh
  2. Delete the DMS jar:
    rm <TAMR_HOME>/tamr/libs/dms.jar
  3. Restart Tamr Core and its dependencies:
    ./tamr/start-dependencies.sh
    ./tamr/start-unify.sh