VMware patches Spring4Shell RCE vulnerability CVE-2022-22965

Sicherheit (Pexels, allgemeine Nutzung)[German]Virtualization specialist VMware has released security updates for various virtualization products. These are intended to close the remote code execution (RCE) vulnerability called Spring4Shell in these products. Cloud products that use virtualization are particularly at risk. Here is an overview of this issue.


Advertising

Spring4Shell: Vulnerability CVE-2022-2296

The vulnerability CVE-2022-2296 has been found a good week ago as Spring4Shell exists in the open source Java framework Spring. The vulnerability allows an attacker to execute arbitrary code on a remote web server (remote code execution). This is what mitre.org says about CVE-2022-22965:

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot jar executable, i.e., by default, it is not vulnerable to the exploit. However, the vulnerability is general in nature, and there may be other ways to exploit it.

This makes CVE-2022-22965 a critical threat because of the wide use of the Spring framework. In reference to the infamous Log4Shell threat, the vulnerability was named Spring4Shell. A vulnerable configuration consists of:

  • JDK Version 9+
  • Apache Tomcat for application deployment
  • Spring Framework versions 5.3.0 through 5.3.17 and 5.2.0 through 5.2.19 and an application built as a WAR file

Vulnerability CVE-2022-22963 exists in Spring Cloud Function routing functionality and allows code injection through Spring Expression Language (SpEL). Details about Spring4Shell can be found on Kaspersky's Securelist blog. Updating the affected component from Spring Cloud Function 3.1.6, 3.2.2 to 2.6.6 should fix the vulnerability  (see Spring blog). In the meantime, an exploit has already been published on GitHub.

VMware patches Spring4Shell vulnerability

Vendor VMware has assessed its products for vulnerability with regard to the Spring4Shell vulnerability and published security advisory VMSA-2022-0010.1. CVE-2022-2296 vulnerability is rated CVE score of 9.8 (critical) and VMware indicates the following products are affected:

  • VMware Tanzu Application Service for VMs
  • VMware Tanzu Operations Manager
  • VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)

VMware has published the following table in its security advisory with an overview of affected and patchable products.


Advertising

VMware Spring4Shell

The list shows that patches for the various versions are already available for Tanzu Applications Services and Tanzu Operations Manager. For TKGI, however, the security updates are still pending, although there is a workaround to mitigate CVE-2022-22965.


Advertising

This entry was posted in Security, Software, Virtualization and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).