wid-sec-w-2022-0033
Vulnerability from csaf_certbund
Published
2022-03-30 22:00
Modified
2024-12-18 23:00
Summary
VMware Tanzu Spring Framework: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Das Spring Framework bietet ein Entwicklungsmodell für Java mit Infrastrukturunterstützung auf Anwendungsebene.
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in VMware Tanzu Spring Framework ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuführen.
Betroffene Betriebssysteme
- CISCO Appliance
- Linux
- Sonstiges
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "kritisch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Das Spring Framework bietet ein Entwicklungsmodell f\u00fcr Java mit Infrastrukturunterst\u00fctzung auf Anwendungsebene.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in VMware Tanzu Spring Framework ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- CISCO Appliance\n- Linux\n- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2022-0033 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-0033.json"
},
{
"category": "self",
"summary": "WID-SEC-2022-0033 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0033"
},
{
"category": "external",
"summary": "Rapid7 Blog Post vom 2022-03-30",
"url": "https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/"
},
{
"category": "external",
"summary": "Sonatype Blog",
"url": "https://blog.sonatype.com/new-0-day-spring-framework-vulnerability-confirmed"
},
{
"category": "external",
"summary": "Artikel von Praetorian",
"url": "https://www.praetorian.com/blog/spring-core-jdk9-rce/"
},
{
"category": "external",
"summary": "Spring Cloud Advisory vom 2022-03-30",
"url": "https://www.springcloud.io/post/2022-03/spring-0day-vulnerability/"
},
{
"category": "external",
"summary": "Spring Boot 2.6.6 available now vom 2022-03-31",
"url": "https://spring.io/blog/2022/03/31/spring-boot-2-6-6-available-now"
},
{
"category": "external",
"summary": "Spring Boot 2.5.12 available now vom 2022-03-31",
"url": "https://spring.io/blog/2022/03/31/spring-boot-2-5-12-available-now"
},
{
"category": "external",
"summary": "Spring Framework RCE vom 2022-03-31",
"url": "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement"
},
{
"category": "external",
"summary": "Cisco Security Advisory CISCO-SA-JAVA-SPRING-RCE-ZX9GUC67 vom 2022-04-02",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67"
},
{
"category": "external",
"summary": "SonicWall Security Advisory SNWLID-2022-0005 vom 2022-04-02",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005"
},
{
"category": "external",
"summary": "VMware Security Advisory VMSA-2022-0010 vom 2022-04-02",
"url": "https://www.vmware.com/security/advisories/VMSA-2022-0010.html"
},
{
"category": "external",
"summary": "Apache Tomcat Release Notes",
"url": "https://tomcat.apache.org/"
},
{
"category": "external",
"summary": "Unify Security Advisory Report OBSO-2204-01 vom 2022-04-04",
"url": "https://networks.unify.com/security/advisories/OBSO-2204-01.pdf"
},
{
"category": "external",
"summary": "HCL Article KB0097763 vom 2022-04-06",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097763"
},
{
"category": "external",
"summary": "Solarwinds Documentation for Security Event Manager",
"url": "https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-2_release_notes.htm"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:1306 vom 2022-04-11",
"url": "https://access.redhat.com/errata/RHSA-2022:1306"
},
{
"category": "external",
"summary": "Cisco Security Advisory CISCO-SA-JAVA-SPRING-RCE-ZX9GUC67 vom 2022-04-12",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:1333 vom 2022-04-13",
"url": "https://access.redhat.com/errata/RHSA-2022:1333"
},
{
"category": "external",
"summary": "IBM Security Bulletin 6571299 vom 2022-04-13",
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-affected-but-not-classified-as-vulnerable-to-remote-code-execution-in-spring-framework-cve-2022-22965/"
},
{
"category": "external",
"summary": "Lenovo Security Advisory LEN-87699 vom 2022-04-13",
"url": "https://support.lenovo.com/us/en/product_security/LEN-87699"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:1360 vom 2022-04-13",
"url": "https://access.redhat.com/errata/RHSA-2022:1360"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:1379 vom 2022-04-15",
"url": "https://access.redhat.com/errata/RHSA-2022:1379"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:1378 vom 2022-04-15",
"url": "https://access.redhat.com/errata/RHSA-2022:1378"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:1626 vom 2022-04-27",
"url": "https://access.redhat.com/errata/RHSA-2022:1626"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:1627 vom 2022-04-27",
"url": "https://access.redhat.com/errata/RHSA-2022:1627"
},
{
"category": "external",
"summary": "IBM Security Bulletin 6575577 vom 2022-04-28",
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-affected-by-a-remote-code-execution-in-spring-framework-cve-2022-22965/"
},
{
"category": "external",
"summary": "Atlassian Security Advisory JSWSERVER-21350 vom 2022-05-11",
"url": "https://jira.atlassian.com/browse/JSWSERVER-21350"
},
{
"category": "external",
"summary": "Hitachi Vulnerability Information HITACHI-SEC-2022-114 vom 2022-05-27",
"url": "https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2022-114/index.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:4880 vom 2022-06-02",
"url": "https://access.redhat.com/errata/RHSA-2022:4880"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7165-1 vom 2024-12-18",
"url": "https://ubuntu.com/security/notices/USN-7165-1"
}
],
"source_lang": "en-US",
"title": "VMware Tanzu Spring Framework: Schwachstelle erm\u00f6glicht Ausf\u00fchren von beliebigem Programmcode",
"tracking": {
"current_release_date": "2024-12-18T23:00:00.000+00:00",
"generator": {
"date": "2024-12-19T09:19:52.335+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.10"
}
},
"id": "WID-SEC-W-2022-0033",
"initial_release_date": "2022-03-30T22:00:00.000+00:00",
"revision_history": [
{
"date": "2022-03-30T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2022-03-31T22:00:00.000+00:00",
"number": "2",
"summary": "CVE und neue Updates aufgenommen"
},
{
"date": "2022-04-03T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Tomcat, Cisco, SonicWall und VMware aufgenommen"
},
{
"date": "2022-04-04T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Informationen von Unify aufgenommen"
},
{
"date": "2022-04-05T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von HCL aufgenommen"
},
{
"date": "2022-04-06T22:00:00.000+00:00",
"number": "6",
"summary": "Anpassung"
},
{
"date": "2022-04-10T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2022-04-11T22:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2022-04-12T22:00:00.000+00:00",
"number": "9",
"summary": "Neue Informationen von Cisco und Lenovo aufgenommen"
},
{
"date": "2022-04-13T22:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2022-04-18T22:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2022-04-26T22:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2022-04-27T22:00:00.000+00:00",
"number": "13",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2022-05-11T22:00:00.000+00:00",
"number": "14",
"summary": "Neue Updates von Atlassian aufgenommen"
},
{
"date": "2022-05-26T22:00:00.000+00:00",
"number": "15",
"summary": "Neue Updates von HITACHI aufgenommen"
},
{
"date": "2022-06-01T22:00:00.000+00:00",
"number": "16",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2024-12-18T23:00:00.000+00:00",
"number": "17",
"summary": "Neue Updates von Ubuntu aufgenommen"
}
],
"status": "final",
"version": "17"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c9.0.62",
"product": {
"name": "Apache Tomcat \u003c9.0.62",
"product_id": "T022513"
}
},
{
"category": "product_version",
"name": "9.0.62",
"product": {
"name": "Apache Tomcat 9.0.62",
"product_id": "T022513-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:apache:tomcat:9.0.62"
}
}
},
{
"category": "product_version_range",
"name": "\u003c10.0.20",
"product": {
"name": "Apache Tomcat \u003c10.0.20",
"product_id": "T022514"
}
},
{
"category": "product_version",
"name": "10.0.20",
"product": {
"name": "Apache Tomcat 10.0.20",
"product_id": "T022514-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:apache:tomcat:10.0.20"
}
}
},
{
"category": "product_version_range",
"name": "\u003c8.5.78",
"product": {
"name": "Apache Tomcat \u003c8.5.78",
"product_id": "T022515"
}
},
{
"category": "product_version",
"name": "8.5.78",
"product": {
"name": "Apache Tomcat 8.5.78",
"product_id": "T022515-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:apache:tomcat:8.5.78"
}
}
}
],
"category": "product_name",
"name": "Tomcat"
}
],
"category": "vendor",
"name": "Apache"
},
{
"branches": [
{
"category": "product_name",
"name": "Atlassian Jira Software",
"product": {
"name": "Atlassian Jira Software",
"product_id": "T015027",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:jira_software:-"
}
}
}
],
"category": "vendor",
"name": "Atlassian"
},
{
"branches": [
{
"category": "product_name",
"name": "Cisco Meeting Server",
"product": {
"name": "Cisco Meeting Server",
"product_id": "T018748",
"product_identification_helper": {
"cpe": "cpe:/a:cisco:meeting_server:-"
}
}
}
],
"category": "vendor",
"name": "Cisco"
},
{
"branches": [
{
"category": "product_name",
"name": "HCL Domino",
"product": {
"name": "HCL Domino",
"product_id": "777623",
"product_identification_helper": {
"cpe": "cpe:/a:hcltech:domino:-"
}
}
},
{
"category": "product_name",
"name": "HCL Notes",
"product": {
"name": "HCL Notes",
"product_id": "T022546",
"product_identification_helper": {
"cpe": "cpe:/a:hcltech:notes:-"
}
}
}
],
"category": "vendor",
"name": "HCL"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "Energy Manager",
"product": {
"name": "Lenovo XClarity Energy Manager",
"product_id": "T022659",
"product_identification_helper": {
"cpe": "cpe:/a:lenovo:xclarity:::energy_manager"
}
}
}
],
"category": "product_name",
"name": "XClarity"
}
],
"category": "vendor",
"name": "Lenovo"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.1.6",
"product": {
"name": "Shibboleth Identity Provider \u003c4.1.6",
"product_id": "T022497"
}
},
{
"category": "product_version",
"name": "4.1.6",
"product": {
"name": "Shibboleth Identity Provider 4.1.6",
"product_id": "T022497-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:shibboleth:identity_provider:4.1.6"
}
}
}
],
"category": "product_name",
"name": "Identity Provider"
}
],
"category": "vendor",
"name": "Shibboleth"
},
{
"branches": [
{
"category": "product_name",
"name": "SolarWinds Security Event Manager",
"product": {
"name": "SolarWinds Security Event Manager",
"product_id": "T022592",
"product_identification_helper": {
"cpe": "cpe:/a:solarwinds:security_event_manager:-"
}
}
}
],
"category": "vendor",
"name": "SolarWinds"
},
{
"branches": [
{
"category": "product_name",
"name": "Ubuntu Linux",
"product": {
"name": "Ubuntu Linux",
"product_id": "T000126",
"product_identification_helper": {
"cpe": "cpe:/o:canonical:ubuntu_linux:-"
}
}
}
],
"category": "vendor",
"name": "Ubuntu"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c2.5.12",
"product": {
"name": "VMware Tanzu Spring Boot \u003c2.5.12",
"product_id": "T022487"
}
},
{
"category": "product_version",
"name": "2.5.12",
"product": {
"name": "VMware Tanzu Spring Boot 2.5.12",
"product_id": "T022487-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:vmware_tanzu:spring_boot:2.5.12"
}
}
},
{
"category": "product_version_range",
"name": "\u003c2.6.6",
"product": {
"name": "VMware Tanzu Spring Boot \u003c2.6.6",
"product_id": "T022488"
}
},
{
"category": "product_version",
"name": "2.6.6",
"product": {
"name": "VMware Tanzu Spring Boot 2.6.6",
"product_id": "T022488-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:vmware_tanzu:spring_boot:2.6.6"
}
}
}
],
"category": "product_name",
"name": "Spring Boot"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c5.3.18",
"product": {
"name": "VMware Tanzu Spring Framework \u003c5.3.18",
"product_id": "T022485"
}
},
{
"category": "product_version",
"name": "5.3.18",
"product": {
"name": "VMware Tanzu Spring Framework 5.3.18",
"product_id": "T022485-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:vmware_tanzu:spring_framework:5.3.18"
}
}
},
{
"category": "product_version_range",
"name": "\u003c5.2.20",
"product": {
"name": "VMware Tanzu Spring Framework \u003c5.2.20",
"product_id": "T022486"
}
},
{
"category": "product_version",
"name": "5.2.20",
"product": {
"name": "VMware Tanzu Spring Framework 5.2.20",
"product_id": "T022486-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:vmware_tanzu:spring_framework:5.2.20"
}
}
}
],
"category": "product_name",
"name": "Spring Framework"
}
],
"category": "vendor",
"name": "VMware Tanzu"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-22965",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle im VMware Tanzu Spring Framework bei der Nutzung von JDK ab Version 9 bez\u00fcglich bez\u00fcglich \"spring-beans-*.jar\" Dateien. Unter bestimmten Konfigurationen kann ein entfernter anonymer Angreifer \u00fcber speziell manipulierte HTTP-Anfragen an ein anf\u00e4lliges System beliebigen Code zur Ausf\u00fchrung bringen."
}
],
"product_status": {
"known_affected": [
"67646",
"T015027",
"T022514",
"T022515",
"T022659",
"T022488",
"T000126",
"T022546",
"T022513",
"T018748",
"T022485",
"T022486",
"T022497",
"777623",
"T022487",
"T022592"
]
},
"release_date": "2022-03-30T22:00:00.000+00:00",
"title": "CVE-2022-22965"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.