Spring by VMware has released security updates to address multiple vulnerabilities affecting its products. The vulnerabilities tracked as CVE-2022-22963 affect Spring Cloud Function and CVE-2022-22965 affect Spring Framework known as “Spring4Shell”. According to VMware, the Spring4Shell vulnerability bypasses the patch for CVE-2010-1622, causing CVE-2010-1622 to become exploitable again. The bypass of the patch can occur because Java Development Kit (JDK) versions 9 and later provide two sandbox restriction methods, providing a path to exploit CVE-2010-1622 (JDK versions before 9 only provide one sandbox restriction method).
A remote attacker could exploit these vulnerabilities to take control of an affected system
3.0 Affected Products
• Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions
• Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions running on JDK version 9.0 and above
MyCERT encourage users and administrators to immediately apply the necessary updates in the Spring Blog posts that provide the Spring Cloud Function updates addressing CVE-2022-22963 and the Spring Framework updates addressing CVE-2022-22965. MyCERT also recommends reviewing VMWare Tanzu Vulnerability Report CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ and CERT Coordination Center (CERT/CC) Vulnerability Note VU #970766 for more information. Kindly refer to the below URL for more details:
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT