Numecent Response to CVE-2022-22965 VMware Spring Framework Remote Code Execution

Posted over 2 years ago by Kyle Goebel

  • Pinned Topic
  • Topic is Locked
Kyle Goebel
Kyle Goebel Admin

Numecent Response to CVE-2022-22965 VMware Spring Framework Remote Code Execution

April 4th, 2022
 

Numecent has determined that the recently discovered vulnerability, CVE-2022-22965 does not impact Cloudpaging Server or Cloudpaging CDN.


CVE-2022-22965 is a remote code execution vulnerability, publicly released on March 29th, 2022. CVE-2022-22965 has not yet been assigned a severity rating. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. We can confirm that neither the Spring MVC or Spring WebFlux dependencies are used by Cloudpaging Server. In addition, Cloudpaging Server does not run on JDK 9 or higher. 


Numecent will continue to monitor and provide updates to the potential impact of the vulnerability on Numecent managed services and on-premises installations.


Customers can view our Cloudpaging Server - Apache Vulnerability Warnings article for a list of known vulnerabilities.

0 Votes


1 Comments

Kyle Goebel

Kyle Goebel posted over 2 years ago Admin

*Update*

Numecent Response to CVE-2022-22965 VMware Spring Framework Remote Code Execution

April 4th, 2022

Numecent has determined that the recently discovered vulnerability, CVE-2022-22963 does not impact Cloudpaging Server or Cloudpaging CDN.

CVE-2022-22963 has not yet been assigned a severity rating. This vulnerability would allow an attacker to use routing functionality to provide a specially crafted SpEL as a routing-expression resulting in remote code execution and potential access to local resources. The vulnerability applies to Spring Cloud Function 3.1.6, 3.2.2 and older unsupported versions.  We can confirm that Spring Cloud is not used by Cloudpaging Server.

0 Votes