ePolicy Orchestrator Sustaining Statement (SSC2204011) - Spring Framework vulnerability CVE-2022-22965 (not vulnerable)
Last Modified: 2022-04-01 19:01:56 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
ePolicy Orchestrator Sustaining Statement (SSC2204011) - Spring Framework vulnerability CVE-2022-22965 (not vulnerable)
Technical Articles ID:
KB95454
Last Modified: 2022-04-01 19:01:56 Etc/GMT Environment
ePolicy Orchestrator (ePO) 5.x
Summary
This statement addresses concerns about ePO and the Spring Framework vulnerability CVE-2022-22965. Spring Framework security advisory Description CVE-2022-22965: A Spring MVC or Spring WebFlux application running on JDK 9 or later might be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable JAR, which is the default, it isn’t vulnerable to the exploit. But, the nature of the vulnerability is more general, and there might be other ways to exploit it. The prerequisites for the exploit are:
The latest version of ePO uses JRE version 1.8.0.321 (Java 8), so ePO doesn’t meet the prerequisites for the exploit and isn’t vulnerable. Affected ProductsLanguages:This article is available in the following languages: |
|