{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/970766#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nThe Spring Framework insecurely handles PropertyDescriptor objects, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\r\n\r\n### Description\r\n\r\nThe [Spring Framework](https://spring.io/) is a Java framework that can be used to create applications such as web applications. Due to improper handling of PropertyDescriptor objects used with data binding, Java applications written with Spring may allow for the execution of arbitrary code.\r\n\r\nExploit code that targets affected WAR-packaged Java code for tomcat servers is publicly available.\r\n\r\nNCSC-NL has a [list of products and their statuses](https://github.com/NCSC-NL/spring4shell/blob/main/software/README.md) with respect to this vulnerability.\r\n\r\n### Impact\r\nBy providing crafted data to a Spring Java application, such as a web application, an attacker may be able to execute arbitrary code with the privileges of the affected application. Depending on the application, exploitation may be possible by a remote attacker without requiring authentication.\r\n\r\n### Solution\r\n#### Apply an update\r\nThis issue is addressed in Spring Framework 5.3.18 and 5.2.20. Please see the [Spring Framework RCE Early Announcement](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement) for more details.\r\n\r\n### Acknowledgements\r\nThis issue was publicly disclosed by heige.\r\n\r\nThis document was written by Will Dormann","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"Cisco is aware of the vulnerability identified by CVE ID CVE-2022-22950 and with the title \"Spring Expression DoS Vulnerability\". We are following our well-established process to investigate all aspects of the issue. If something is found that our customers need to be aware of and respond to, we will communicate via our established disclosure process.","title":"Vendor statment from Cisco"},{"category":"other","text":"We have not received any reports of these issues from SolarWinds customers but are actively investigating. The following SolarWinds product do utilize the Spring Framework, but have not yet been confirmed to be affected by this issue: \r\n\t\t\t\t\t•\tSecurity Event Manager (SEM) \r\n\t\t\t\t\t•\tDatabase Performance Analyzer (DPA) \r\n\t\t\t\t\t•\tWeb Help Desk (WHD)\r\nWhile we have not seen or received reports of SolarWinds products affected by this issue, for the protection of their environments, SolarWinds strongly recommends all customers disconnect their public-facing (internet-facing) installations of these SolarWinds products (SEM, DPA, and WHD) from the internet.","title":"Vendor statment from SolarWinds"},{"category":"other","text":"Aruba Networks is aware of the issue and we have published a security advisory for our products at https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-006.txt","title":"Vendor statment from Aruba Networks"},{"category":"other","text":"The UniFi Network application only supports Java 8, which is not affected by this CVE. Still, the upcoming Network  Version 7.2 update will upgrade to Spring Framework 5.3.18.","title":"Vendor statment from Ubiquiti"},{"category":"other","text":"No Red Hat products are affected by CVE-2022-22963.","title":"Vendor statment from Red Hat"},{"category":"other","text":"F5 products and services and NGINX products are not affected by CVE-2022-22965.","title":"Vendor statment from F5 Networks"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/970766"},{"url":"https://tanzu.vmware.com/security/cve-2022-22965","summary":"https://tanzu.vmware.com/security/cve-2022-22965"},{"url":"https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement","summary":"https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement"},{"url":"https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html","summary":"https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html"},{"url":"https://github.com/NCSC-NL/spring4shell/blob/main/software/README.md","summary":"https://github.com/NCSC-NL/spring4shell/blob/main/software/README.md"},{"url":"https://fortiguard.fortinet.com/psirt/FG-IR-22-072","summary":"Reference(s) from vendor \"Fortinet\""},{"url":"https://community.kofax.com/s/question/0D53m00006FG8NVCA1/communications-manager-release-announcements?language=en_US","summary":"Reference(s) from vendor \"Kofax\""},{"url":"https://community.kofax.com/s/question/0D53m00006w0My3CAE/controlsuite-release-announcements?language=en_US","summary":"Reference(s) from vendor \"Kofax\""},{"url":"https://community.kofax.com/s/question/0D53m00006FG8RtCAL/readsoft-release-announcements?language=en_US","summary":"Reference(s) from vendor \"Kofax\""},{"url":"https://community.kofax.com/s/question/0D53m00006FG8ThCAL/robotic-process-automation-release-announcements?language=en_US","summary":"Reference(s) from vendor \"Kofax\""},{"url":"https://community.kofax.com/s/question/0D53m00006FG8QdCAL/markview-release-announcements","summary":"Reference(s) from vendor \"Kofax\""},{"url":"https://knowledge.kofax.com/General_Support/General_Troubleshooting/Kofax_products_and_Spring4Shell_vulnerability_information","summary":"Reference(s) from vendor \"Kofax\""},{"url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67","summary":"Reference(s) from vendor \"Cisco\""},{"url":"https://www.tibco.com/support/notices/spring-framework-vulnerability-update","summary":"Reference(s) from vendor \"TIBCO\""},{"url":"https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf","summary":"Reference(s) from vendor \"Siemens\""},{"url":"https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=0vdcg&oscode=naa&productcode=wyse-wms","summary":"Reference(s) from vendor \"Dell\""},{"url":"https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10","summary":"Reference(s) from vendor \"SAP SE\""},{"url":"https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk178605&src=securityAlerts","summary":"Reference(s) from vendor \"Check Point\""},{"url":"https://cyberark-customers.force.com/s/article/Spring-Framework-CVE-2022-22965","summary":"Reference(s) from vendor \"CyberArk\""},{"url":"https://www.solarwinds.com/trust-center/security-advisories/spring4shell","summary":"Reference(s) from vendor \"SolarWinds\""},{"url":"https://community.sonarsource.com/t/sonarqube-sonarcloud-and-spring4shell/60926","summary":"Reference(s) from vendor \"SonarSource\""},{"url":"https://bmcsites.force.com/casemgmt/sc_KnowledgeArticle?sfdcid=000395541","summary":"Reference(s) from vendor \"BMC Software\""},{"url":"https://community.ui.com/releases/Statement-Regarding-Spring-CVE-2022-22965-2022-22950-and-2022-22963-001/19b2dc6f-4c36-436e-bd38-59ea0d6f1cb5","summary":"Reference(s) from vendor \"Ubiquiti\""},{"url":"https://security.paloaltonetworks.com/CVE-2022-22963","summary":"Reference(s) from vendor \"Palo Alto Networks\""},{"url":"https://discuss.elastic.co/t/spring4shell-spring-framework-remote-code-execution-vulnerability/301229","summary":"Reference(s) from vendor \"Elastic\""},{"url":"https://documentation.commvault.com/v11/essential/146231_security_vulnerability_and_reporting.html#cv2022041-spring-framework","summary":"Reference(s) from vendor \"Commvault\""},{"url":"https://kc.mcafee.com/corporate/index?page=content&id=KB95447","summary":"Reference(s) from vendor \"McAfee\""},{"url":"https://portal.microfocus.com/s/article/KM000005107?language=en_US","summary":"Reference(s) from vendor \"Micro Focus\""},{"url":"https://security.netapp.com/advisory/ntap-20220401-0001/","summary":"Reference(s) from vendor \"NetApp\""},{"url":"https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB45126/?kA13Z000000L3sW","summary":"Reference(s) from vendor \"Pulse Secure\""},{"url":"https://kb.tableau.com/articles/Issue/Spring4Shell-CVE-2022-22963-and-CVE-2022-22965","summary":"Reference(s) from vendor \"salesforce.com\""},{"url":"https://community.jamf.com/t5/jamf-pro/spring4shell-vulnerability/td-p/262584","summary":"Reference(s) from vendor \"JAMF software\""},{"url":"https://www.ptc.com/en/support/article/cs366379?language=en&posno=1&q=CVE-2022-22965&source=search","summary":"Reference(s) from vendor \"PTC\""},{"url":"https://sec.okta.com/articles/2022/04/oktas-response-cve-2022-22965-spring4shell","summary":"Reference(s) from vendor \"Okta Inc.\""},{"url":"https://www.vmware.com/security/advisories/VMSA-2022-0010.html","summary":"Reference(s) from vendor \"VMware\""},{"url":"https://community.servicenow.com/community?id=community_question&sys_id=5530394edb2e8950e2adc2230596194f","summary":"Reference(s) from vendor \"ServiceNow\""},{"url":"https://geoserver.org/announcements/vulnerability/2022/04/01/spring.html","summary":"Reference(s) from vendor \"GeoServer\""},{"url":"https://support.f5.com/csp/article/K11510688","summary":"Reference(s) from vendor \"F5 Networks\""},{"url":"https://www.jenkins.io/blog/2022/03/31/spring-rce-CVE-2022-22965/","summary":"Reference(s) from vendor \"Jenkins\""},{"url":"https://success.trendmicro.com/dcx/s/solution/000290730","summary":"Reference(s) from vendor \"Trend Micro\""},{"url":"https://www.veritas.com/content/support/en_US/security/VTS22-006","summary":"Reference(s) from vendor \"Veritas Technologies\""},{"url":"https://www.blueriq.com/en/insights/measures-cve22950-22963-22965","summary":"Reference(s) from vendor \"Blueriq\""},{"url":"https://community.developer.atlassian.com/t/attention-cve-2022-22965-spring-framework-rce-investigation/57172","summary":"Reference(s) from vendor \"Atlassian\""},{"url":"https://tanzu.vmware.com/security/cve-2022-22965","summary":"Reference(s) from vendor \"Spring\""},{"url":"https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement","summary":"Reference(s) from vendor \"Spring\""}],"title":"Spring Framework insecurely handles PropertyDescriptor objects with data binding","tracking":{"current_release_date":"2022-05-19T16:09:54+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#970766","initial_release_date":"2022-03-30 00:00:00+00:00","revision_history":[{"date":"2022-05-19T16:09:54+00:00","number":"1.20220519160954.22","summary":"Released on 2022-05-19T16:09:54+00:00"}],"status":"final","version":"1.20220519160954.22"}},"vulnerabilities":[{"title":"Spring Framework insecurely handles PropertyDescriptor objects.","notes":[{"category":"summary","text":"Spring Framework insecurely handles PropertyDescriptor objects."}],"cve":"CVE-2022-22965","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#970766"}],"product_status":{"known_affected":["CSAFPID-8ec74b56-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ec7b1ea-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ec7e976-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ec97ab6-39e5-11f1-8422-122e2785dc9f","CSAFPID-8eca2902-39e5-11f1-8422-122e2785dc9f","CSAFPID-8eca58dc-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ecb5f66-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ecb8f0e-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ecbeabc-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ecca448-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ecd05d2-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ecd78aa-39e5-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-8ec7808a-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ec812fc-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ec83fa2-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ec87918-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ec8a9f6-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ec8e524-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ec9296c-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ec9b62a-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ec9e2da-39e5-11f1-8422-122e2785dc9f","CSAFPID-8eca7e02-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ecad302-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ecb0ae8-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ecb3018-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ecbc2c6-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ecc28ce-39e5-11f1-8422-122e2785dc9f","CSAFPID-8ecc62b2-39e5-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"TIBCO","product":{"name":"TIBCO Products","product_id":"CSAFPID-8ec71e60-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Siemens","product":{"name":"Siemens Products","product_id":"CSAFPID-8ec74b56-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"F5 Networks","product":{"name":"F5 Networks Products","product_id":"CSAFPID-8ec7808a-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Dell","product":{"name":"Dell Products","product_id":"CSAFPID-8ec7b1ea-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"SAP SE","product":{"name":"SAP SE Products","product_id":"CSAFPID-8ec7e976-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Check Point","product":{"name":"Check Point Products","product_id":"CSAFPID-8ec812fc-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Ubiquiti","product":{"name":"Ubiquiti Products","product_id":"CSAFPID-8ec83fa2-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Veritas Technologies","product":{"name":"Veritas Technologies Products","product_id":"CSAFPID-8ec87918-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Aruba Networks","product":{"name":"Aruba Networks Products","product_id":"CSAFPID-8ec8a9f6-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"salesforce.com","product":{"name":"salesforce.com Products","product_id":"CSAFPID-8ec8e524-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"SonarSource","product":{"name":"SonarSource Products","product_id":"CSAFPID-8ec9296c-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"BMC Software","product":{"name":"BMC Software Products","product_id":"CSAFPID-8ec97ab6-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Palo Alto Networks","product":{"name":"Palo Alto Networks Products","product_id":"CSAFPID-8ec9b62a-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Elastic","product":{"name":"Elastic Products","product_id":"CSAFPID-8ec9e2da-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"NetApp","product":{"name":"NetApp Products","product_id":"CSAFPID-8eca2902-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Cisco","product":{"name":"Cisco Products","product_id":"CSAFPID-8eca58dc-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Commvault","product":{"name":"Commvault Products","product_id":"CSAFPID-8eca7e02-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"McAfee","product":{"name":"McAfee Products","product_id":"CSAFPID-8ecaa26a-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Micro Focus","product":{"name":"Micro Focus Products","product_id":"CSAFPID-8ecad302-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Pulse Secure","product":{"name":"Pulse Secure Products","product_id":"CSAFPID-8ecb0ae8-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-8ecb3018-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"JAMF software","product":{"name":"JAMF software Products","product_id":"CSAFPID-8ecb5f66-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"PTC","product":{"name":"PTC Products","product_id":"CSAFPID-8ecb8f0e-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Okta Inc.","product":{"name":"Okta Inc. Products","product_id":"CSAFPID-8ecbc2c6-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"VMware","product":{"name":"VMware Products","product_id":"CSAFPID-8ecbeabc-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Jenkins","product":{"name":"Jenkins Products","product_id":"CSAFPID-8ecc28ce-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Trend Micro","product":{"name":"Trend Micro Products","product_id":"CSAFPID-8ecc62b2-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"SolarWinds","product":{"name":"SolarWinds Products","product_id":"CSAFPID-8ecca448-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"ServiceNow","product":{"name":"ServiceNow Products","product_id":"CSAFPID-8eccd85a-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Blueriq","product":{"name":"Blueriq Products","product_id":"CSAFPID-8ecd05d2-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Fortinet","product":{"name":"Fortinet Products","product_id":"CSAFPID-8ecd3548-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Spring","product":{"name":"Spring Products","product_id":"CSAFPID-8ecd78aa-39e5-11f1-8422-122e2785dc9f"}}]}}