Numecent Response to CVE-2022-22965 VMware Spring Framework Remote Code Execution
Posted
over 2 years ago
by Kyle Goebel
Pinned Topic
Topic is Locked
Kyle GoebelAdmin
Numecent Response to CVE-2022-22965 VMware Spring Framework Remote Code Execution
April 4th, 2022
Numecent has determined that the recently discovered vulnerability, CVE-2022-22965 does not impact Cloudpaging Server or Cloudpaging CDN.
CVE-2022-22965 is a remote code execution vulnerability, publicly released on March 29th, 2022. CVE-2022-22965 has not yet been assigned a severity rating. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. We can confirm that neither the Spring MVC or Spring WebFlux dependencies are used by Cloudpaging Server. In addition, Cloudpaging Server does not run on JDK 9 or higher.
Numecent will continue to monitor and provide updates to the potential impact of the vulnerability on Numecent managed services and on-premises installations.
Numecent Response to CVE-2022-22965 VMware Spring Framework Remote Code Execution
April 4th, 2022
Numecent has determined that the recently discovered vulnerability, CVE-2022-22963 does not impact Cloudpaging Server or Cloudpaging CDN.
CVE-2022-22963 has not yet been assigned a severity rating. This vulnerability would allow an attacker to use routing functionality to provide a specially crafted SpEL as a routing-expression resulting inremote code execution and potential access to local resources. The vulnerability applies to Spring Cloud Function 3.1.6, 3.2.2 and older unsupported versions. We can confirm that Spring Cloud is not used by Cloudpaging Server.
0 Votes
People who like this
Delete Comment
This post will be deleted permanently. Are you sure?
Numecent Response to CVE-2022-22965 VMware Spring Framework Remote Code Execution
April 4th, 2022
Numecent has determined that the recently discovered vulnerability, CVE-2022-22965 does not impact Cloudpaging Server or Cloudpaging CDN.
CVE-2022-22965 is a remote code execution vulnerability, publicly released on March 29th, 2022. CVE-2022-22965 has not yet been assigned a severity rating. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. We can confirm that neither the Spring MVC or Spring WebFlux dependencies are used by Cloudpaging Server. In addition, Cloudpaging Server does not run on JDK 9 or higher.
Numecent will continue to monitor and provide updates to the potential impact of the vulnerability on Numecent managed services and on-premises installations.
Customers can view our Cloudpaging Server - Apache Vulnerability Warnings article for a list of known vulnerabilities.
0 Votes
1 Comments
Kyle Goebel posted over 2 years ago Admin
*Update*
Numecent Response to CVE-2022-22965 VMware Spring Framework Remote Code Execution
April 4th, 2022
Numecent has determined that the recently discovered vulnerability, CVE-2022-22963 does not impact Cloudpaging Server or Cloudpaging CDN.
CVE-2022-22963 has not yet been assigned a severity rating. This vulnerability would allow an attacker to use routing functionality to provide a specially crafted SpEL as a routing-expression resulting in remote code execution and potential access to local resources. The vulnerability applies to Spring Cloud Function 3.1.6, 3.2.2 and older unsupported versions. We can confirm that Spring Cloud is not used by Cloudpaging Server.
0 Votes