Article - CS366559
ThingWorx Spring4shell CVE-2022-22965 vulnerability incident response
Modified: 13-Oct-2022
Applies To
- ThingWorx Platform 9.0 to 9.3
- Affected versions of Spring framework
- 5.3.0 to 5.3.17
- 5.2.0 to 5.2.19
- Older, unsupported versions are also affected
Description
- A new vulnerability defined as Spring4shell CVE-2022-22965 was recently reported against the popular Java framework Spring Core on JDK9+
- Other reported vulnerabilities -
- CVE-2022-22963 (Spring Cloud) - In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in access to local resources
- ThingWorx and its platform components are not affected by this issue
- CVE-2022-22950 (Spring Expression) - In Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. Spring Expression can lead to Denial of Service if not properly mitigated
- ThingWorx and its platform components are not affected by this issue
- CVE-2022-22963 (Spring Cloud) - In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in access to local resources
- These vulnerabilities, if not addressed, can allow remote code execution (RCE) which would permit attackers to execute arbitrary code on the machine and compromise the entire host
- These are the requirements for the specific vulnerable scenario from the report:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
- spring-webmvc or spring-webflux dependency
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
- Note: The nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet
This is a printer-friendly version of Article 366559 and may be out of date. For the latest version click CS366559