Lucene search

CERTVU:970766

HistoryMar 31, 2022 - 12:00 a.m.

Spring Framework insecurely handles PropertyDescriptor objects with data binding

2022-03-3100:00:00

www.kb.cert.org

176

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%

JSON

Overview

The Spring Framework insecurely handles PropertyDescriptor objects, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

The Spring Framework is a Java framework that can be used to create applications such as web applications. Due to improper handling of PropertyDescriptor objects used with data binding, Java applications written with Spring may allow for the execution of arbitrary code.

Exploit code that targets affected WAR-packaged Java code for tomcat servers is publicly available.

NCSC-NL has a list of products and their statuses with respect to this vulnerability.

Impact

By providing crafted data to a Spring Java application, such as a web application, an attacker may be able to execute arbitrary code with the privileges of the affected application. Depending on the application, exploitation may be possible by a remote attacker without requiring authentication.

Solution

Apply an update

This issue is addressed in Spring Framework 5.3.18 and 5.2.20. Please see the Spring Framework RCE Early Announcement for more details.

Acknowledgements

This issue was publicly disclosed by heige.

This document was written by Will Dormann

Vendor Information

970766

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Blueriq __ Affected

Notified: 2022-04-02 Updated: 2022-04-02 CVE-2022-22965	Affected

Vendor Statement

We have not received a statement from the vendor.

References

<https://www.blueriq.com/en/insights/measures-cve22950-22963-22965>

BMC Software __ Affected

Notified: 2022-04-06 Updated: 2022-04-06 CVE-2022-22965	Affected

Vendor Statement

We have not received a statement from the vendor.

References

<https://bmcsites.force.com/casemgmt/sc_KnowledgeArticle?sfdcid=000395541>

Cisco __ Affected

Notified: 2022-04-06 Updated: 2022-04-08

Statement Date: April 07, 2022

CVE-2022-22965	Affected

Vendor Statement

Cisco is aware of the vulnerability identified by CVE ID CVE-2022-22950 and with the title “Spring Expression DoS Vulnerability”. We are following our well-established process to investigate all aspects of the issue. If something is found that our customers need to be aware of and respond to, we will communicate via our established disclosure process.

References

<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67>

Dell __ Affected

Updated: 2022-04-20 CVE-2022-22965	Affected

Vendor Statement

We have not received a statement from the vendor.

References

https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=0vdcg&oscode=naa&productcode=wyse-wms

JAMF software __ Affected

Notified: 2022-04-06 Updated: 2022-04-04 CVE-2022-22965	Affected

Vendor Statement

We have not received a statement from the vendor.

References

<https://community.jamf.com/t5/jamf-pro/spring4shell-vulnerability/td-p/262584>

NetApp __ Affected

Notified: 2022-04-06 Updated: 2022-04-05 CVE-2022-22965	Affected

Vendor Statement

We have not received a statement from the vendor.

References

<https://security.netapp.com/advisory/ntap-20220401-0001/>

PTC __ Affected

Notified: 2022-04-06 Updated: 2022-04-04 CVE-2022-22965	Affected

Vendor Statement

We have not received a statement from the vendor.

References

https://www.ptc.com/en/support/article/cs366379?language=en&posno=1&q=CVE-2022-22965&source=search

SAP SE __ Affected

Updated: 2022-04-13 CVE-2022-22965	Affected

Vendor Statement

We have not received a statement from the vendor.

References

https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Siemens __ Affected

Updated: 2022-04-27 CVE-2022-22965	Affected

Vendor Statement

We have not received a statement from the vendor.

References

<https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf>

SolarWinds __ Affected

Notified: 2022-04-02 Updated: 2022-04-06

Statement Date: April 04, 2022

CVE-2022-22965	Affected

Vendor Statement

We have not received any reports of these issues from SolarWinds customers but are actively investigating. The following SolarWinds product do utilize the Spring Framework, but have not yet been confirmed to be affected by this issue: • Security Event Manager (SEM) • Database Performance Analyzer (DPA) • Web Help Desk (WHD) While we have not seen or received reports of SolarWinds products affected by this issue, for the protection of their environments, SolarWinds strongly recommends all customers disconnect their public-facing (internet-facing) installations of these SolarWinds products (SEM, DPA, and WHD) from the internet.

References

<https://www.solarwinds.com/trust-center/security-advisories/spring4shell>

Spring __ Affected

Notified: 2022-03-31 Updated: 2022-03-31

Statement Date: March 31, 2022

CVE-2022-22965	Affected

Vendor Statement

We have not received a statement from the vendor.

References

VMware __ Affected

Notified: 2022-04-06 Updated: 2022-04-03 CVE-2022-22965	Affected

Vendor Statement

We have not received a statement from the vendor.

References

<https://www.vmware.com/security/advisories/VMSA-2022-0010.html>

Aruba Networks __ Not Affected

Notified: 2022-04-06 Updated: 2022-04-08

Statement Date: April 07, 2022

CVE-2022-22965	Not Affected

Vendor Statement

Aruba Networks is aware of the issue and we have published a security advisory for our products at https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-006.txt

Check Point __ Not Affected

Updated: 2022-04-12 CVE-2022-22965	Not Affected

Vendor Statement

We have not received a statement from the vendor.

References

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk178605&src=securityAlerts

Commvault __ Not Affected

Notified: 2022-04-06 Updated: 2022-04-05 CVE-2022-22965	Not Affected

Vendor Statement

We have not received a statement from the vendor.

References

<https://documentation.commvault.com/v11/essential/146231_security_vulnerability_and_reporting.html#cv2022041-spring-framework>

Elastic __ Not Affected

Notified: 2022-04-06 Updated: 2022-04-05 CVE-2022-22965	Not Affected

Vendor Statement

We have not received a statement from the vendor.

References

<https://discuss.elastic.co/t/spring4shell-spring-framework-remote-code-execution-vulnerability/301229>

F5 Networks __ Not Affected

Notified: 2022-04-01 Updated: 2022-04-20

Statement Date: April 15, 2022

CVE-2022-22965	Not Affected

Vendor Statement

F5 products and services and NGINX products are not affected by CVE-2022-22965.

References

<https://support.f5.com/csp/article/K11510688>

Jenkins __ Not Affected

Notified: 2022-04-06 Updated: 2022-04-02 CVE-2022-22965	Not Affected

Vendor Statement

We have not received a statement from the vendor.

References

<https://www.jenkins.io/blog/2022/03/31/spring-rce-CVE-2022-22965/>

Micro Focus __ Not Affected

Notified: 2022-04-06 Updated: 2022-04-05 CVE-2022-22965	Not Affected

Vendor Statement

We have not received a statement from the vendor.

References

<https://portal.microfocus.com/s/article/KM000005107?language=en_US>

Okta Inc. __ Not Affected

Notified: 2022-04-06 Updated: 2022-04-04 CVE-2022-22965	Not Affected

Vendor Statement

We have not received a statement from the vendor.

References

<https://sec.okta.com/articles/2022/04/oktas-response-cve-2022-22965-spring4shell>

Palo Alto Networks __ Not Affected

Notified: 2022-04-06 Updated: 2022-04-05 CVE-2022-22965	Not Affected

Vendor Statement

We have not received a statement from the vendor.

References

<https://security.paloaltonetworks.com/CVE-2022-22963>

Pulse Secure __ Not Affected

Notified: 2022-04-06 Updated: 2022-04-05 CVE-2022-22965	Not Affected

Vendor Statement

We have not received a statement from the vendor.

References

<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB45126/?kA13Z000000L3sW>

Red Hat __ Not Affected

Notified: 2022-04-06 Updated: 2022-04-08

Statement Date: April 08, 2022

CVE-2022-22965	Not Affected

Vendor Statement

No Red Hat products are affected by CVE-2022-22963.

salesforce.com __ Not Affected

Notified: 2022-04-06 Updated: 2022-04-05 CVE-2022-22965	Not Affected

Vendor Statement

We have not received a statement from the vendor.

References

<https://kb.tableau.com/articles/Issue/Spring4Shell-CVE-2022-22963-and-CVE-2022-22965>

SonarSource __ Not Affected

Notified: 2022-04-06 Updated: 2022-04-06 CVE-2022-22965	Not Affected

Vendor Statement

We have not received a statement from the vendor.

References

<https://community.sonarsource.com/t/sonarqube-sonarcloud-and-spring4shell/60926>

Trend Micro __ Not Affected

Notified: 2022-04-02 Updated: 2022-04-08

Statement Date: April 06, 2022

CVE-2022-22965	Not Affected

Vendor Statement

We have not received a statement from the vendor.

References

<https://success.trendmicro.com/dcx/s/solution/000290730>

Ubiquiti __ Not Affected

Notified: 2022-04-06 Updated: 2022-04-08

Statement Date: April 08, 2022

CVE-2022-22965	Not Affected

Vendor Statement

The UniFi Network application only supports Java 8, which is not affected by this CVE. Still, the upcoming Network Version 7.2 update will upgrade to Spring Framework 5.3.18.