Coverage for multiple Spring vulnerabilities (CVE-2022-22947, CVE-2022-22950, CVE-2022-22963, CVE-2022-22965)
Last Modified: 2022-04-19 04:27:42 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Coverage for multiple Spring vulnerabilities (CVE-2022-22947, CVE-2022-22950, CVE-2022-22963, CVE-2022-22965)
Technical Articles ID:
KB95447
Last Modified: 2022-04-19 04:27:42 Etc/GMT Summary
Recent updates to this article
We're actively tracking four distinct vulnerabilities in several components of Spring. Spring is a Java framework that VMware owns. There has been confusion around these Spring vulnerabilities. We can confirm that we're tracking four vulnerabilities associated with Spring, which are unique vulnerabilities.
Owing to the severity of these vulnerabilities, we've created this article to provide communication on actions that customers can take to mitigate risk in their environment. We're actively monitoring these vulnerabilities and researching ways to use our solutions to protect against them. We're also reviewing all our solutions for any potential impact. See SB10380 - REGISTERED - Security Bulletin - Product status for Spring vulnerabilities (CVE-2022-22947, CVE-2022-22963, CVE-2022-22965). NOTE: The referenced content is available only to logged in ServicePortal users. To view the content, click the link and log in when prompted. Subscribe to this article to receive updates pertaining to related coverage and countermeasures. To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
For further information, see the following articles: CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability CVE-2022-22950: Spring Expression DoS Vulnerability CVE-2022-22963: RCE in Spring Cloud Function by malicious Spring Expression CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ Problem 1
VMware released CVE-2022-22963 on March 29, 2022. Spring Cloud component versions 3.1.6, 3.2.2 and earlier unsupported versions are impacted. When using the routing functionality, it's possible for a user to provide a specially crafted SpEL as a routing-expression that might result in access to local resources. A patch is available from VMware for this issue and upgrades the Spring Cloud component to version 3.1.7 or 3.2.3. Problem 2
VMware released CVE-2022-22965 on March 31, 2022. Spring Framework versions 5.3.0–5.3.17, 5.2.0–5.2.19, and earlier unsupported versions are impacted. A Spring MVC or Spring WebFlux application running on JDK 9+ might be vulnerable to RCE via data binding. Users of affected versions should update as per the following: 5.3.x users should upgrade to 5.3.18 or later and 5.2.x users should upgrade to 5.2.20 or later. Problem 3
VMware released CVE-2022-22950 on March 28, 2022. Spring Framework versions 5.3.0–5.3.16, and earlier unsupported versions are impacted. This issue might cause a DOS condition if a specially crafted SpEL expression is provided. Spring Framework versions 5.3.17 and later include fixes for this vulnerability.
Problem 4
VMware released CVE-2022-22947 on March 1, 2022. Spring Cloud Gateway versions 3.1.0, 3.0.0–3.0.6, and earlier unsupported versions are impacted. When the Gateway Actuator endpoint is enabled, exposed, and unsecured, it's possible for a remote attacker to provide a maliciously crafted request that can lead to arbitrary RCE on the remote hosts. Spring Cloud Gateway versions 3.1.1 and later, and 3.0.7 and later include fixes for this vulnerability.
SolutionSubscribe to this article to receive updates pertaining to related coverage and countermeasures.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Network Security Platform (NSP) User-Defined Signature: UDSs are provided as an immediate solution to known vulnerabilities. For more information about this UDS, see REGISTERED - NSP Emergency UDS Release Notes - UDS for Multiple Vulnerabilities. NOTE: The referenced content is available only to logged in ServicePortal users. To view the content, click the link and log in when prompted.
ENS Affected ProductsLanguages:This article is available in the following languages: |
|