April 6, 2022
RE: CVE-2022-22963 Spring Cloud and CVE-2022-22965 Spring Framework Vulnerability and Implications for INSIGHT DLP Appliances
Dear INSIGHT Appliance Customer:
As you may be aware, on April 1, 2021, researchers found the critical vulnerabilities CVE-2022-22963 Spring Cloud and CVE-2022-22965 Spring Framework.
CVE-2022-22963 is a vulnerability in the routing functionality of Spring Cloud Function that allows code injection through Spring Expression Language (SpEL) by adding a special spring.cloud.function.routing-expression header to an HTTP request.
A vulnerable configuration consists of:
- Spring Cloud Function 3.1.6, 3.2.2 and older versions
CVE-2022-22965 (Spring4Shell, SpringShell) is a vulnerability in the Spring Framework that uses data binding functionality to bind data stored within an HTTP request to certain objects used by an application.
A vulnerable configuration consists of:
- JDK version 9+
- Apache Tomcat for serving the application
- Spring Framework versions 5.3.0 to 5.3.17 and 5.2.0 to 5.2.19 and below
- application built as a WAR file
The INSIGHT Development and Security teams have investigated these vulnerabilities and their potential impact on INSIGHT Appliances, Symantec Data Loss Prevention (DLP), and the Oracle Database. The INSIGHT Appliances, Symantec DLP, and the Oracle Database do not utilize Spring Cloud Function or Spring Framework packages. Please note that these vulnerability/exploits do not affect or impact the INSIGHT Appliances, Symantec DLP, and the Oracle Database.
Below is the article released by Broadcom relating to this vulnerability and its impact on DLP:
https://knowledge.broadcom.com/external/article?articleId=238391
============================================================
Additional articles for your reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-22963
https://nvd.nist.gov/vuln/detail/CVE-2022-22965
https://www.helpnetsecurity.com/2022/04/01/cve-2022-22965/
https://securelist.com/spring4shell-cve-2022-22965/106239/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spring4shell-rce-vuln-java
0 Comments