Overview
The Spring Framework insecurely handles PropertyDescriptor objects, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
The Spring Framework is a Java framework that can be used to create applications such as web applications. Due to improper handling of PropertyDescriptor objects used with data binding, Java applications written with Spring may allow for the execution of arbitrary code.
Exploit code that targets affected WAR-packaged Java code for tomcat servers is publicly available.
NCSC-NL has a list of products and their statuses with respect to this vulnerability.
Impact
By providing crafted data to a Spring Java application, such as a web application, an attacker may be able to execute arbitrary code with the privileges of the affected application. Depending on the application, exploitation may be possible by a remote attacker without requiring authentication.
Solution
Apply an update
This issue is addressed in Spring Framework 5.3.18 and 5.2.20. Please see the Spring Framework RCE Early Announcement for more details.
Acknowledgements
This issue was publicly disclosed by heige.
This document was written by Will Dormann
Vendor Information
Blueriq Affected
| CVE-2022-22965 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
BMC Software Affected
| CVE-2022-22965 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Cisco Affected
Statement Date: April 07, 2022
| CVE-2022-22965 | Affected |
Vendor Statement
Cisco is aware of the vulnerability identified by CVE ID CVE-2022-22950 and with the title "Spring Expression DoS Vulnerability". We are following our well-established process to investigate all aspects of the issue. If something is found that our customers need to be aware of and respond to, we will communicate via our established disclosure process.
References
Dell Affected
| CVE-2022-22965 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
JAMF software Affected
| CVE-2022-22965 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
NetApp Affected
| CVE-2022-22965 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
PTC Affected
| CVE-2022-22965 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
SAP SE Affected
| CVE-2022-22965 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Siemens Affected
| CVE-2022-22965 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
SolarWinds Affected
Statement Date: April 04, 2022
| CVE-2022-22965 | Affected |
Vendor Statement
We have not received any reports of these issues from SolarWinds customers but are actively investigating. The following SolarWinds product do utilize the Spring Framework, but have not yet been confirmed to be affected by this issue: • Security Event Manager (SEM) • Database Performance Analyzer (DPA) • Web Help Desk (WHD) While we have not seen or received reports of SolarWinds products affected by this issue, for the protection of their environments, SolarWinds strongly recommends all customers disconnect their public-facing (internet-facing) installations of these SolarWinds products (SEM, DPA, and WHD) from the internet.
References
Spring Affected
Statement Date: March 31, 2022
| CVE-2022-22965 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
VMware Affected
| CVE-2022-22965 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Aruba Networks Not Affected
Statement Date: April 07, 2022
| CVE-2022-22965 | Not Affected |
Vendor Statement
Aruba Networks is aware of the issue and we have published a security advisory for our products at https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-006.txt
Check Point Not Affected
| CVE-2022-22965 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Commvault Not Affected
| CVE-2022-22965 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Elastic Not Affected
| CVE-2022-22965 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
References
F5 Networks Not Affected
Statement Date: April 15, 2022
| CVE-2022-22965 | Not Affected |
Vendor Statement
F5 products and services and NGINX products are not affected by CVE-2022-22965.
References
Jenkins Not Affected
| CVE-2022-22965 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Micro Focus Not Affected
| CVE-2022-22965 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Okta Inc. Not Affected
| CVE-2022-22965 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Palo Alto Networks Not Affected
| CVE-2022-22965 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Pulse Secure Not Affected
| CVE-2022-22965 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Red Hat Not Affected
Statement Date: April 08, 2022
| CVE-2022-22965 | Not Affected |
Vendor Statement
No Red Hat products are affected by CVE-2022-22963.
salesforce.com Not Affected
| CVE-2022-22965 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
References
SonarSource Not Affected
| CVE-2022-22965 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Trend Micro Not Affected
Statement Date: April 06, 2022
| CVE-2022-22965 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Ubiquiti Not Affected
Statement Date: April 08, 2022
| CVE-2022-22965 | Not Affected |
Vendor Statement
The UniFi Network application only supports Java 8, which is not affected by this CVE. Still, the upcoming Network Version 7.2 update will upgrade to Spring Framework 5.3.18.
References
Veritas Technologies Not Affected
| CVE-2022-22965 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Atlassian Unknown
| CVE-2022-22965 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
References
CyberArk Unknown
| CVE-2022-22965 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
References
Fortinet Unknown
| CVE-2022-22965 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
References
GeoServer Unknown
| CVE-2022-22965 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
References
Kofax Unknown
| CVE-2022-22965 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
References
- https://community.kofax.com/s/question/0D53m00006FG8NVCA1/communications-manager-release-announcements?language=en_US
- https://community.kofax.com/s/question/0D53m00006w0My3CAE/controlsuite-release-announcements?language=en_US
- https://community.kofax.com/s/question/0D53m00006FG8RtCAL/readsoft-release-announcements?language=en_US
- https://community.kofax.com/s/question/0D53m00006FG8ThCAL/robotic-process-automation-release-announcements?language=en_US
- https://community.kofax.com/s/question/0D53m00006FG8QdCAL/markview-release-announcements
- https://knowledge.kofax.com/General_Support/General_Troubleshooting/Kofax_products_and_Spring4Shell_vulnerability_information
McAfee Unknown
| CVE-2022-22965 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
References
ServiceNow Unknown
| CVE-2022-22965 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
References
TIBCO Unknown
Statement Date: May 17, 2022
| CVE-2022-22965 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
References
Alphatron Medical Unknown
| CVE-2022-22965 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Extreme Networks Unknown
| CVE-2022-22965 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
PagerDuty Unknown
| CVE-2022-22965 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Other Information
| CVE IDs: | CVE-2022-22965 |
| Date Public: | 2022-03-30 |
| Date First Published: | 2022-03-31 |
| Date Last Updated: | 2022-05-19 16:09 UTC |
| Document Revision: | 22 |