CVE-2022-22965

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vmwareCNA
---
---
CVEADP
---
---
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
VendorProductVersion
vmwarespring_framework
𝑥
< 5.2.20
vmwarespring_framework
5.3.0 ≤
𝑥
< 5.3.18
ciscocx_cloud_agent
𝑥
< 2.1.0
oraclecommunications_cloud_native_core_automated_test_suite
1.9.0
oraclecommunications_cloud_native_core_automated_test_suite
22.1.0
oraclecommunications_cloud_native_core_console
1.9.0
oraclecommunications_cloud_native_core_console
22.1.0
oraclecommunications_cloud_native_core_network_exposure_function
22.1.0
oraclecommunications_cloud_native_core_network_function_cloud_native_environment
1.10.0
oraclecommunications_cloud_native_core_network_function_cloud_native_environment
22.1.0
oraclecommunications_cloud_native_core_network_repository_function
1.15.0
oraclecommunications_cloud_native_core_network_repository_function
22.1.0
oraclecommunications_cloud_native_core_network_slice_selection_function
1.8.0
oraclecommunications_cloud_native_core_network_slice_selection_function
1.15.0
oraclecommunications_cloud_native_core_network_slice_selection_function
22.1.0
oraclecommunications_cloud_native_core_policy
1.15.0
oraclecommunications_cloud_native_core_policy
22.1.0
oraclecommunications_cloud_native_core_security_edge_protection_proxy
1.7.0
oraclecommunications_cloud_native_core_security_edge_protection_proxy
22.1.0
oraclecommunications_cloud_native_core_unified_data_repository
1.15.0
oraclecommunications_cloud_native_core_unified_data_repository
22.1.0
oraclecommunications_policy_management
12.6.0.0.0
oraclefinancial_services_analytical_applications_infrastructure
8.1.1
oraclefinancial_services_analytical_applications_infrastructure
8.1.2.0
oraclefinancial_services_behavior_detection_platform
8.1.1.0
oraclefinancial_services_behavior_detection_platform
8.1.1.1
oraclefinancial_services_behavior_detection_platform
8.1.2.0
oraclefinancial_services_enterprise_case_management
8.1.1.0
oraclefinancial_services_enterprise_case_management
8.1.1.1
oraclefinancial_services_enterprise_case_management
8.1.2.0
oraclemysql_enterprise_monitor
𝑥
< 8.0.29
oracleproduct_lifecycle_analytics
3.6.1
oracleretail_xstore_point_of_service
20.0.1
oracleretail_xstore_point_of_service
21.0.0
oraclesd-wan_edge
9.0
oraclesd-wan_edge
9.1
siemensoperation_scheduler
𝑥
< 2.0.4
siemenssipass_integrated
2.80
siemenssipass_integrated
2.85
siemenssiveillance_identity
1.5
siemenssiveillance_identity
1.6
veritasaccess_appliance
7.4.3
veritasaccess_appliance
7.4.3.100
veritasaccess_appliance
7.4.3.200
veritasaccess_appliance
7.4.3
veritasaccess_appliance
7.4.3.100
veritasaccess_appliance
7.4.3.200
veritasflex_appliance
1.3
veritasflex_appliance
2.0
veritasflex_appliance
2.0.1
veritasflex_appliance
2.0.2
veritasflex_appliance
2.1
veritasnetbackup_flex_scale_appliance
2.1
veritasnetbackup_flex_scale_appliance
3.0
veritasnetbackup_appliance
4.0
veritasnetbackup_appliance
4.0.0.1:maintenance_release1
veritasnetbackup_appliance
4.0.0.1:maintenance_release2
veritasnetbackup_appliance
4.0.0.1:maintenance_release3
veritasnetbackup_appliance
4.1
veritasnetbackup_appliance
4.1.0.1:maintenance_release1
veritasnetbackup_appliance
4.1.0.1:maintenance_release2
veritasnetbackup_virtual_appliance
4.0
veritasnetbackup_virtual_appliance
4.0.0.1:maintenance_release1
veritasnetbackup_virtual_appliance
4.0.0.1:maintenance_release2
veritasnetbackup_virtual_appliance
4.0.0.1:maintenance_release3
veritasnetbackup_virtual_appliance
4.1
veritasnetbackup_virtual_appliance
4.1.0.1:maintenance_release1
veritasnetbackup_virtual_appliance
4.1.0.1:maintenance_release2
siemensoperation_scheduler
𝑥
< 2.0.4
siemenssimatic_speech_assistant_for_machines
𝑥
< 1.2.1
siemenssinec_network_management_system
𝑥
< 1.0.3
siemenssipass_integrated
2.80
siemenssipass_integrated
2.85
siemenssiveillance_identity
1.5
siemenssiveillance_identity
1.6
oraclecommerce_platform
11.3.2
oraclecommunications_cloud_native_core_binding_support_function
22.1.3
oraclecommunications_unified_inventory_management
7.4.1
oraclecommunications_unified_inventory_management
7.4.2
oraclecommunications_unified_inventory_management
7.5.0
oracleretail_bulk_data_integration
16.0.3
oracleretail_customer_management_and_segmentation_foundation
17.0
oracleretail_customer_management_and_segmentation_foundation
18.0
oracleretail_customer_management_and_segmentation_foundation
19.0
oracleretail_financial_integration
14.1.3.2
oracleretail_financial_integration
15.0.3.1
oracleretail_financial_integration
16.0.3
oracleretail_financial_integration
19.0.1
oracleretail_integration_bus
14.1.3.2
oracleretail_integration_bus
15.0.3.1
oracleretail_integration_bus
16.0.3
oracleretail_integration_bus
19.0.1
oracleretail_merchandising_system
16.0.3
oracleretail_merchandising_system
19.0.1
oracleweblogic_server
12.2.1.3.0
oracleweblogic_server
12.2.1.4.0
oracleweblogic_server
14.1.1.0.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libspring-java
bullseye
unimportant
sid
unimportant
trixie
unimportant
bookworm
unimportant
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libspring-java
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
needs-triage
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html
http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html
https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
https://tanzu.vmware.com/security/cve-2022-22965
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html
http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html
https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
https://tanzu.vmware.com/security/cve-2022-22965
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67
https://www.kb.cert.org/vuls/id/970766
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html