{"containers": {"cna": {"affected": [{"product": "Spring Framework", "vendor": "n/a", "versions": [{"status": "affected", "version": "Spring Framework versions 5.3.X prior to 5.3.18+, 5.2.x prior to 5.2.20+ and all old and unsupported versions"}]}], "descriptions": [{"lang": "en", "value": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-25T16:46:59", "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://tanzu.vmware.com/security/cve-2022-22965"}, {"name": "20220401 Vulnerability in Spring Framework Affecting Cisco Products: March 2022", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@vmware.com", "ID": "CVE-2022-22965", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Spring Framework", "version": {"version_data": [{"version_value": "Spring Framework versions 5.3.X prior to 5.3.18+, 5.2.x prior to 5.2.20+ and all old and unsupported versions"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}]}, "references": {"reference_data": [{"name": "https://tanzu.vmware.com/security/cve-2022-22965", "refsource": "MISC", "url": "https://tanzu.vmware.com/security/cve-2022-22965"}, {"name": "20220401 Vulnerability in Spring Framework Affecting Cisco Products: March 2022", "refsource": "CISCO", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"name": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005", "refsource": "CONFIRM", "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005"}, {"name": "http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf"}, {"name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"name": "http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html"}]}}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/970766"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://tanzu.vmware.com/security/cve-2022-22965"}, {"name": "20220401 Vulnerability in Spring Framework Affecting Cisco Products: March 2022", "tags": ["vendor-advisory", "x_refsource_CISCO", "x_transferred"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:28:42.725Z"}}]}, "cveMetadata": {"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "assignerShortName": "vmware", "cveId": "CVE-2022-22965", "datePublished": "2022-04-01T22:17:30", "dateReserved": "2022-01-10T00:00:00", "dateUpdated": "2024-08-03T03:28:42.725Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"cisaActionDue": "2022-04-25", "cisaExploitAdd": "2022-04-04", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Spring Framework JDK 9+ Remote Code Execution Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "7417ECB4-3391-4273-9DAF-C9C82220CEA8", "versionEndExcluding": "5.2.20", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "5049322E-FFAA-4CAA-B794-63539EA4E6D7", "versionEndExcluding": "5.3.18", "versionStartIncluding": "5.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:jdk:*:*:*:*:*:*:*:*", "matchCriteriaId": "19F22333-401B-4DB1-A63D-622FA54C2BA9", "versionStartIncluding": "9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:cx_cloud_agent:*:*:*:*:*:*:*:*", "matchCriteriaId": "0DA44823-E5F1-4922-BCCA-13BEB49C017B", "versionEndExcluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "A4CA84D6-F312-4C29-A02B-050FCB7A902B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:22.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "2DF6C109-E3D3-431C-8101-2FF88763CF5A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DAAB7154-4DE8-4806-86D0-C1D33B84417B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_console:22.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "B5BB2213-08E7-497F-B672-556FD682D122", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "E24426EE-6A3F-413E-A70A-FB98CCD007A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "C2A5B24D-BDF2-423C-98EA-A40778C01A05", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "04E6C8E9-2024-496C-9BFD-4548A5B44E2E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*", "matchCriteriaId": "6F60E32F-0CA0-4C2D-9848-CB92765A9ACB", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "B61A7946-F554-44A9-9E41-86114E4B4914", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "3AA09838-BF13-46AC-BB97-A69F48B73A8A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.15.0:*:*:*:*:*:*:*", "matchCriteriaId": "D163AA57-1D66-4FBF-A8BB-F13E56E5C489", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "D6577F14-36B6-46A5-A1B1-FCCADA61A23B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*", "matchCriteriaId": "B4367D9B-BF81-47AD-A840-AC46317C774D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "0425918A-03F1-4541-BDEF-55B03E07E115", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "BD4349FE-EEF8-489A-8ABF-5FCD55EC6DE0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "D235B299-9A0E-44FF-84F1-2FFBC070A21D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:*", "matchCriteriaId": "C6EAA723-2A23-4151-930B-86ACF9CC1C0C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "3C2E50B0-64B6-4696-9213-F5D9016058A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_policy_management:12.6.0.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "02AEDB9F-1040-4840-ACB6-8BF299886ACB", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "41C2C67B-BF55-4B48-A94D-1F37A4FAC68C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "172BECE8-9626-4910-AAA1-A2FA9C7139E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "A4B3A10E-70A8-4332-8567-06AE2C45D3C6", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "059F0D4E-B007-4986-AB95-89F11147CB2B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "6CAC78AD-86BB-4F06-B8CF-8E1329987F2F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "44563108-AD89-49A0-9FA5-7DE5A5601D2C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "FCA5DC3F-E7D8-45E3-8114-2213EC631CDF", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "078AEFC0-96DA-4F50-BE8E-8360718103A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", "matchCriteriaId": "7ECCD8C1-C055-4958-A613-B6D1609687F1", "versionEndExcluding": "8.0.29", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "7F978162-CB2C-4166-947A-9048C6E878BC", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "A69FB468-EAF3-4E67-95E7-DF92C281C1F1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:21.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "8AB16F34-D561-498F-A8C3-A24A47BCEBC9", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "77E39D5C-5EFA-4FEB-909E-0A92004F2563", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:*", "matchCriteriaId": "06816711-7C49-47B9-A9D7-FB18CC3F42F2", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:operation_scheduler:*:*:*:*:*:*:*:*", "matchCriteriaId": "435B691D-C763-4692-A46A-3422FA821ACF", "versionEndExcluding": "2.0.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:sipass_integrated:2.80:*:*:*:*:*:*:*", "matchCriteriaId": "83E77D85-0AE8-41D6-AC0C-983A8B73C831", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:sipass_integrated:2.85:*:*:*:*:*:*:*", "matchCriteriaId": "02B28A44-3708-480D-9D6D-DDF8C21A15EC", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:siveillance_identity:1.5:*:*:*:*:*:*:*", "matchCriteriaId": "9772EE3F-FFC5-4611-AD9A-8AD8304291BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:siveillance_identity:1.6:*:*:*:*:*:*:*", "matchCriteriaId": "CF524892-278F-4373-A8A3-02A30FA1AFF4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:veritas:access_appliance:7.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "26CDB573-611F-403C-9E9F-2A929B7B9602", "vulnerable": true}, {"criteria": "cpe:2.3:a:veritas:access_appliance:7.4.3.100:*:*:*:*:*:*:*", "matchCriteriaId": "E84BF8E9-9AB8-4591-9760-C9B727FD0BA2", "vulnerable": true}, {"criteria": "cpe:2.3:a:veritas:access_appliance:7.4.3.200:*:*:*:*:*:*:*", "matchCriteriaId": "2605B356-2BDE-45B2-AAB3-55236E163588", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:veritas:access_appliance:7.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "26CDB573-611F-403C-9E9F-2A929B7B9602", "vulnerable": true}, {"criteria": "cpe:2.3:a:veritas:access_appliance:7.4.3.100:*:*:*:*:*:*:*", "matchCriteriaId": "E84BF8E9-9AB8-4591-9760-C9B727FD0BA2", "vulnerable": true}, {"criteria": "cpe:2.3:a:veritas:access_appliance:7.4.3.200:*:*:*:*:*:*:*", "matchCriteriaId": "2605B356-2BDE-45B2-AAB3-55236E163588", "vulnerable": true}, {"criteria": "cpe:2.3:a:veritas:flex_appliance:1.3:*:*:*:*:*:*:*", "matchCriteriaId": "E18698DE-9043-4AA0-B798-51C0B4CACBAD", "vulnerable": true}, {"criteria": "cpe:2.3:a:veritas:flex_appliance:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "8CE9674B-4528-4168-B09A-DBAA48622307", "vulnerable": true}, {"criteria": "cpe:2.3:a:veritas:flex_appliance:2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "9810D40F-FF25-495F-80A4-7A8D8679FA33", "vulnerable": true}, {"criteria": "cpe:2.3:a:veritas:flex_appliance:2.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "02B3BC5A-97E2-4295-9EA3-62D29E579E9F", "vulnerable": true}, {"criteria": "cpe:2.3:a:veritas:flex_appliance:2.1:*:*:*:*:*:*:*", "matchCriteriaId": "EC18FEAF-65B4-4F56-A703-21DF9B969B0B", "vulnerable": true}, {"criteria": "cpe:2.3:a:veritas:netbackup_flex_scale_appliance:2.1:*:*:*:*:*:*:*", "matchCriteriaId": "66B1DC73-8B4C-418B-96A7-17C35E9164CE", "vulnerable": true}, {"criteria": "cpe:2.3:a:veritas:netbackup_flex_scale_appliance:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "48E6CF01-79F1-4E56-BB3C-02AE544876E4", "vulnerable": true}, {"criteria": "cpe:2.3:h:veritas:netbackup_appliance:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "62D12B2A-0167-4010-888E-30BB96DBA3F4", "vulnerable": true}, {"criteria": "cpe:2.3:h:veritas:netbackup_appliance:4.0.0.1:maintenance_release1:*:*:*:*:*:*", "matchCriteriaId": "42554066-06A0-44EF-8911-5982A4033E00", "vulnerable": true}, {"criteria": "cpe:2.3:h:veritas:netbackup_appliance:4.0.0.1:maintenance_release2:*:*:*:*:*:*", "matchCriteriaId": "BE52F0C6-7AB6-4E84-9A8C-01C2AE170504", "vulnerable": true}, {"criteria": "cpe:2.3:h:veritas:netbackup_appliance:4.0.0.1:maintenance_release3:*:*:*:*:*:*", "matchCriteriaId": "F2762443-9B5B-4675-84B3-21A60385F86E", "vulnerable": true}, {"criteria": "cpe:2.3:h:veritas:netbackup_appliance:4.1:*:*:*:*:*:*:*", "matchCriteriaId": "F91A353F-6BEE-423E-BB6A-413C2C03D313", "vulnerable": true}, {"criteria": "cpe:2.3:h:veritas:netbackup_appliance:4.1.0.1:maintenance_release1:*:*:*:*:*:*", "matchCriteriaId": "6256AE6A-34BF-417A-BAB9-8889457BA31B", "vulnerable": true}, {"criteria": "cpe:2.3:h:veritas:netbackup_appliance:4.1.0.1:maintenance_release2:*:*:*:*:*:*", "matchCriteriaId": "FBEF9B41-F0AF-49A8-95A9-5F803E5AFDE0", "vulnerable": true}, {"criteria": "cpe:2.3:h:veritas:netbackup_virtual_appliance:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "C3F72DF7-C2C6-4009-82D8-462714D80DF5", "vulnerable": true}, {"criteria": "cpe:2.3:h:veritas:netbackup_virtual_appliance:4.0.0.1:maintenance_release1:*:*:*:*:*:*", "matchCriteriaId": "A5C4BAEE-EAAE-46F6-A275-330EE41CF1F7", "vulnerable": true}, {"criteria": "cpe:2.3:h:veritas:netbackup_virtual_appliance:4.0.0.1:maintenance_release2:*:*:*:*:*:*", "matchCriteriaId": "5311A3B2-E1C7-4816-B1DD-F0166C65F5A3", "vulnerable": true}, {"criteria": "cpe:2.3:h:veritas:netbackup_virtual_appliance:4.0.0.1:maintenance_release3:*:*:*:*:*:*", "matchCriteriaId": "ED4BC39F-2A18-4F2D-B5A6-A1590D220611", "vulnerable": true}, {"criteria": "cpe:2.3:h:veritas:netbackup_virtual_appliance:4.1:*:*:*:*:*:*:*", "matchCriteriaId": "8E5BC47D-DD3A-4CE1-B313-18C9547E89EF", "vulnerable": true}, {"criteria": "cpe:2.3:h:veritas:netbackup_virtual_appliance:4.1.0.1:maintenance_release1:*:*:*:*:*:*", "matchCriteriaId": "63459D69-EC29-49A6-9577-A48B63C63063", "vulnerable": true}, {"criteria": "cpe:2.3:h:veritas:netbackup_virtual_appliance:4.1.0.1:maintenance_release2:*:*:*:*:*:*", "matchCriteriaId": "7B20A490-3398-4B36-9630-98CADC801E9E", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:siemens:operation_scheduler:*:*:*:*:*:*:*:*", "matchCriteriaId": "435B691D-C763-4692-A46A-3422FA821ACF", "versionEndExcluding": "2.0.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:simatic_speech_assistant_for_machines:*:*:*:*:*:*:*:*", "matchCriteriaId": "D035FB7D-36A5-439E-9992-DE255F020AB5", "versionEndExcluding": "1.2.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:sinec_network_management_system:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D14E8FC-464B-414D-AE56-C20FF46E25FB", "versionEndExcluding": "1.0.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:sipass_integrated:2.80:*:*:*:*:*:*:*", "matchCriteriaId": "83E77D85-0AE8-41D6-AC0C-983A8B73C831", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:sipass_integrated:2.85:*:*:*:*:*:*:*", "matchCriteriaId": "02B28A44-3708-480D-9D6D-DDF8C21A15EC", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:siveillance_identity:1.5:*:*:*:*:*:*:*", "matchCriteriaId": "9772EE3F-FFC5-4611-AD9A-8AD8304291BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:siveillance_identity:1.6:*:*:*:*:*:*:*", "matchCriteriaId": "CF524892-278F-4373-A8A3-02A30FA1AFF4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:commerce_platform:11.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "8CDE72F7-ED9D-4A53-BF63-DF6711FFDEF4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "6EDB6772-7FDB-45FF-8D72-952902A7EE56", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "A7637F8B-15F1-42E2-BE18-E1FF7C66587D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "E43D793A-7756-4D58-A8ED-72DC4EC9CEA7", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "0EBC7EB1-FD72-4BFC-92CC-7C8B8E462D7C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "3486C85C-57BC-433F-941C-E81539DA5C1D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:*", "matchCriteriaId": "A7FBF5C7-EC73-4CE4-8CB7-E9CF5705DB25", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*", "matchCriteriaId": "36E16AEF-ACEB-413C-888C-8D250F65C180", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*", "matchCriteriaId": "9EFAEA84-E376-40A2-8C9F-3E0676FEC527", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "798E4FEE-9B2B-436E-A2B3-B8AA1079892A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "CB86F6C3-981E-4ECA-A5EB-9A9CD73D70C9", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "6B042849-7EF5-4A5F-B6CD-712C0B8735BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_financial_integration:19.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "7435071D-0C95-4686-A978-AFC4C9A0D0FE", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "8CFCE558-9972-46A2-8539-C16044F1BAA9", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "A1194C4E-CF42-4B4D-BA9A-40FDD28F1D58", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "822A3C37-86F2-4E91-BE91-2A859F983941", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "BD311C33-A309-44D5-BBFB-539D72C7F8C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "F8383028-B719-41FD-9B6A-71F8EB4C5F8D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "AE1BC44A-F0AF-41CD-9CEB-B07AB5ADAB38", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "F14A818F-AA16-4438-A3E4-E64C9287AC66", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "04BCDC24-4A21-473C-8733-0D9CFB38A752", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it."}, {"lang": "es", "value": "Una aplicaci\u00f3n Spring MVC o Spring WebFlux que es ejecutada en JDK 9+ puede ser vulnerable a la ejecuci\u00f3n de c\u00f3digo remota (RCE) por medio de una vinculaci\u00f3n de datos. La explotaci\u00f3n espec\u00edfica requiere que la aplicaci\u00f3n sea ejecutada en Tomcat como un despliegue WAR. Si la aplicaci\u00f3n es desplegada como un jar ejecutable de Spring Boot, es decir, por defecto, no es vulnerable a la explotaci\u00f3n. Sin embargo, la naturaleza de la vulnerabilidad es m\u00e1s general, y puede haber otras formas de explotarla"}], "id": "CVE-2022-22965", "lastModified": "2024-10-18T19:52:02.903", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-01T23:15:13.870", "references": [{"source": "security@vmware.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html"}, {"source": "security@vmware.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html"}, {"source": "security@vmware.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf"}, {"source": "security@vmware.com", "tags": ["Third Party Advisory"], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005"}, {"source": "security@vmware.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://tanzu.vmware.com/security/cve-2022-22965"}, {"source": "security@vmware.com", "tags": ["Third Party Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67"}, {"source": "security@vmware.com", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "security@vmware.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@vmware.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2022:1306", "cpe": "cpe:/a:redhat:camel_quarkus:2.2.1", "impact": "low", "package": "spring-beans", "product_name": "CEQ 2.2.1-1 (CVE-2022-22965)", "release_date": "2022-04-11T00:00:00Z"}, {"advisory": "RHSA-2022:1626", "cpe": "cpe:/a:redhat:amq_broker:7", "impact": "low", "package": "spring-webmvc", "product_name": "Red Hat AMQ 7.8.6", "release_date": "2022-04-27T00:00:00Z"}, {"advisory": "RHSA-2022:1627", "cpe": "cpe:/a:redhat:amq_broker:7", "impact": "low", "package": "spring-webmvc", "product_name": "Red Hat AMQ 7.9.4", "release_date": "2022-04-27T00:00:00Z"}, {"advisory": "RHSA-2022:1360", "cpe": "cpe:/a:redhat:jboss_fuse:7", "impact": "low", "package": "spring-webmvc", "product_name": "Red Hat Fuse 7.10.2", "release_date": "2022-04-13T00:00:00Z"}, {"advisory": "RHSA-2022:1379", "cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7.12", "impact": "low", "package": "spring-webmvc", "product_name": "RHDM 7.12.1 async", "release_date": "2022-04-14T00:00:00Z"}, {"advisory": "RHSA-2022:1333", "cpe": "cpe:/a:redhat:integration:1", "impact": "low", "package": "spring-beans", "product_name": "RHINT Camel-K 1.6.5", "release_date": "2022-04-12T00:00:00Z"}, {"advisory": "RHSA-2022:1378", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12", "impact": "low", "package": "spring-webmvc", "product_name": "RHPAM 7.12.1 async", "release_date": "2022-04-14T00:00:00Z"}], "bugzilla": {"description": "spring-framework: RCE via Data Binding on JDK 9+", "id": "2070348", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2070348"}, "csaw": true, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-94", "details": ["A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.", "A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, (transitively affected from Spring Beans), using parameter data binding. This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters and possibly gain access to normally-restricted functionality within the Java Virtual Machine."], "mitigation": {"lang": "en:us", "value": "For those who are not able to upgrade affected Spring classes to the fixed versions, there is a workaround customers can implement for their applications, via setting disallowed fields on the data binder, and denying various iterations of the string \"class.*\" \nFor full implementation details, see Spring's early announcement post in the \"suggested workarounds\" section: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#suggested-workarounds"}, "name": "CVE-2022-22965", "package_state": [{"cpe": "cpe:/a:redhat:jboss_amq:6", "fix_state": "Will not fix", "impact": "low", "package_name": "spring-webmvc", "product_name": "Red Hat JBoss A-MQ 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Will not fix", "impact": "low", "package_name": "spring-webmvc", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Will not fix", "impact": "low", "package_name": "rhvm-dependencies", "product_name": "Red Hat Virtualization 4"}], "public_date": "2022-03-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-22965\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-22965\nhttps://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement\nhttps://tanzu.vmware.com/security/cve-2022-22965\nhttps://www.cyberkendra.com/2022/03/spring4shell-details-and-exploit-code.html\nhttps://www.praetorian.com/blog/spring-core-jdk9-rce/\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog"], "statement": "The reporter of this flaw provided a proof-of-concept that relied on Apache Tomcat; it accessed the classloader and changed logging properties to place a web shell in Tomcat's root directory, and was able to call various commands subsequently.\nThere are several conditions required to achieve this exploit:\n-Java 9 or newer version\n-Apache Tomcat as the Servlet container\n-packaged as WAR file\n-spring-webmvc or spring-webflux dependency\n-no protections in place against malicious data bindings (ex: WebDataBinder allow list)\nThere may be other exploit paths than this, possibly not utilizing Tomcat.", "threat_severity": "Important", "upstream_fix": "spring-framework 5.2.20, spring-framework 5.3.18, spring-webmvc 5.2.20, spring-webmvc 5.3.18"}