INSIGHT Support Advisory: CVE-2022-22963 Spring Cloud and CVE-2022-22965 Spring Framework Vulnerability Statement

April 6, 2022


RE: CVE-2022-22963 Spring Cloud and CVE-2022-22965 Spring Framework Vulnerability and Implications for INSIGHT DLP Appliances


Dear INSIGHT Appliance Customer:

As you may be aware, on April 1, 2021, researchers found the critical vulnerabilities CVE-2022-22963 Spring Cloud and CVE-2022-22965 Spring Framework.

 

CVE-2022-22963 is a vulnerability in the routing functionality of Spring Cloud Function that allows code injection through Spring Expression Language (SpEL) by adding a special spring.cloud.function.routing-expression header to an HTTP request.

A vulnerable configuration consists of:

  • Spring Cloud Function 3.1.6, 3.2.2 and older versions

 

CVE-2022-22965 (Spring4Shell, SpringShell) is a vulnerability in the Spring Framework that uses data binding functionality to bind data stored within an HTTP request to certain objects used by an application.

A vulnerable configuration consists of:

  • JDK version 9+
  • Apache Tomcat for serving the application
  • Spring Framework versions 5.3.0 to 5.3.17 and 5.2.0 to 5.2.19 and below
  • application built as a WAR file

 

The INSIGHT Development and Security teams have investigated these vulnerabilities and their potential impact on INSIGHT Appliances, Symantec Data Loss Prevention (DLP), and the Oracle Database. The INSIGHT Appliances, Symantec DLP, and the Oracle Database do not utilize Spring Cloud Function or Spring Framework packages. Please note that these vulnerability/exploits do not affect or impact the INSIGHT Appliances, Symantec DLP, and the Oracle Database.

 

Below is the article released by Broadcom relating to this vulnerability and its impact on DLP:

https://knowledge.broadcom.com/external/article?articleId=238391

============================================================

Additional articles for your reference:

https://nvd.nist.gov/vuln/detail/CVE-2022-22963

https://nvd.nist.gov/vuln/detail/CVE-2022-22965

https://www.helpnetsecurity.com/2022/04/01/cve-2022-22965/

https://securelist.com/spring4shell-cve-2022-22965/106239/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spring4shell-rce-vuln-java

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.