Article - CS366379
Java Spring Framework vulnerabilities (CVE-2022-22963, CVE-2022-22950, CVE-2022-22965) impact on Windchill and FlexPLM
Modified: 09-Nov-2022
Applies To
- Windchill PDMLink 11.1 M020 to 12.1.0.0
- FlexPLM 11.1 M010 to 12.0.3.0
Description
- Multiple vulnerabilities have been reported for Spring, including a zero-day critical RCE (Remote Code Execution)
- CVE-2022-22963
- CVSS Score (VMware) = 5.4
- Description: In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in access to local resources.
- Mitigation: Users of affected versions should upgrade to 3.1.7, 3.2.3. No other steps are necessary.
- Applicability: Not applicable to Windchill or FlexPLM. No Impact.
- Additional Reference: Tanzu vmware also shared a Summary around the CVE-2022-22963.
- CVE-2022-22950
- CVSS Score (VMware) = 5.4
- Description: In Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service condition.
- Mitigation: Users of affected versions should upgrade to 5.3.17+. No other steps are necessary.
- Applicability: See Resolution
- Additional Reference: Tanzu vmware also shared a Summary around the CVE-2022-22950 .
- CVE-2022-22965 (Spring4Shell)
- CVSS Score (Black Duck): 9.8 (Critical)
- Description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
- Mitigation: Update to Spring Framework 5.3.18
- Applicability: See Resolution
- Additional Reference: Tanzu vmware also shared a Summary around the CVE-2022-22965 .
This is a printer-friendly version of Article 366379 and may be out of date. For the latest version click CS366379