Security Bulletin: Vulnerabilities have been identified in Spring Framework, OpenSSL and Apache HTTP Server shipped with the DS8000 Hardware Management Console (HMC)

Summary The updates indicated below have been released to address the following vulnerabilities: Spring Framework CVE-2022-22965, OpenSSL vulnerabilities CVE-2022-0778, Apache HTTP Server CVE-2021-26691, CVE-2021-40438, CVE-2021-44790, and CVE-2021-20325. Vulnerability Details CVEID:CVE-2022-0778...

Jira Server/DC impacted by CVE-2022-22970 & CVE-2022-22971 via vulnerable version of Spring framework

Jira is not impacted no action is required as the vulnerability +cannot be exploited+. All Jira versions below 9.6 uses an affected version of Spring Framework, reason why the JRASERVER-74776 was published, however Jira +does not use the affected methods from the Spring+, hence +is not impacted+:...

Security Bulletin: Vulnerability in Spring Framework affects IBM Process Mining and could allow a local attacker to execute arbitrary code on the system (CVE-2022-22965)

Summary There is a vulnerability in Spring Framework that could allow a local attacker to execute arbitrary code on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. The product is in an affected but not vulnerab...

Security Bulletin: Vulnerabilities in Spring Framework affects IBM Common Licensing's Administration And Reporting Tool (ART) and its Agent (CVE-2022-22978, 220811)

Summary Security Vulnerablities have been addressed in IBM Common Licensing. In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. A fix is available to address the vulnerability...

Oracle MySQL Enterprise Monitor (Jan 2023 CPU)

The versions of MySQL Enterprise Monitor installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2023 CPU advisory. - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL component: Monitoring: General Spring Security. Supported versions...

This Week in Spring - January 17th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! I went to Helsinki, Finland, last week, and this week Im in Atlanta, Georgia, to speak at the Atlanta Java User Group. And, of course, next week, Ill be in New York to join a viewing party for the airing of SpringOne...

This Week in Spring - January 17th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! I went to Helsinki, Finland, last week, and this week I'm in Atlanta, Georgia, to speak at the Atlanta Java User Group. And, of course, next week, I'll be in New York to join a viewing party for the airing of SpringOne...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service, caused by improper input validation with Spring Framework (CVE-2022-22950).

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service, caused by improper input validation in VMware Tanzu Spring Framework CVE-2022-22950. This appears in the Java code used by some of our service components. Please read the details for...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a data binding rules security weakness in Spring Framework (CVE-2022-22968)

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a Spring framework data binding rules vulnerability, where case sensitive patterns for disallowedFields cause weaker than expected security CVE-2022-22968. Spring Framework is used by some of the java...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to improper input validation in Spring Framework (CVE-2022-22950)

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service, caused by improper input validation in VMware Tanzu Spring Framework CVE-2022-22950. Spring Framework is used in Watson Speech Services to build our STT and TTS java services Please read...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is affected but not classified as vulnerable to a remote code execution in Spring Framework CVE-2022-22965 as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3...

Exploit for Code Injection in Vmware Spring_Framework

Spring4Shell-CVE-2022-22965-POC bash ghost㉿uchiha:$ ./exp...

Security Bulletin: IBM Tivoli Monitoring is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)

Summary IBM Tivoli Monitoring is affected but not classified as vulnerable to a remote code execution in Spring Framework CVE-2022-22965 as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR in contrast to a Spring Boo...

Security Bulletin: IBM Tivoli Monitoring is affected but not classified as vulnerable by a denial of service in Spring Framework (CVE-2022-22950)

Summary IBM Tivoli Monitoring is affected but not classified as vulnerable to a remote code execution in Spring Framework CVE-2022-22950. The Tivoli Enterprise Portal Server CQ component includes but does not use it. The fix removes Spring from the product. Vulnerability Details...

This Week in Spring - December 20th, 2022

Hi, Spring fans! Its the 20th of December, 2022 as I write this, which means that by the time we meet again, here on this humble blog, Tuesday next week, Christmas will already have come and gone. Chanukah is already here! Time is sure flying! So, to those of you who celebrate: Happy Chanukah,...

spring-expression: Denial of service via specially crafted SpEL expression

A flaw was found in the Spring Framework. This flaw allows an attacker to craft a special Spring Expression, causing a denial of service...

Exploit for Code Injection in Vmware Spring_Framework

Spring4Shell-PoC Application This application has been contai...

New Go-based Botnet Exploiting Exploiting Dozens of IoT Vulnerabilities to Expand its Network

NOTE: In this blog, Zerobot refers to a botnet that spreads primarily through IoT and web application vulnerabilities. It is not associated with the chatbot ZeroBot.ai. A novel Go-based botnet called Zerobot has been observed in the wild proliferating by taking advantage of nearly two dozen...

TERASOLUNA Server Framework vulnerable to ClassLoader manipulation

TERASOLUNA Global Framework 1.0.0 Public review version and TERASOLUNA Server Framework for Java Rich 2.0.0.2 to 2.0.5.1 are vulnerable to ClassLoader manipulation due to using the old version of Spring Framework which contains the vulnerability. The vulnerability is caused by an improper input...

GHSA-Q5J9-F95W-F4PR TERASOLUNA Server Framework vulnerable to ClassLoader manipulation

TERASOLUNA Global Framework 1.0.0 Public review version and TERASOLUNA Server Framework for Java Rich 2.0.0.2 to 2.0.5.1 are vulnerable to ClassLoader manipulation due to using the old version of Spring Framework which contains the vulnerability. The vulnerability is caused by an improper input...