The severe remote code execution vulnerability known as Spring4Shell, which affects numerous of VMware’s cloud computing and virtualization technologies, has been patched.
An advisory from the firm contains a list of VMware products that are impacted by Spring4Shell. In the absence of a patch, VMware has issued a workaround as a stopgap measure.
Because Spring4Shell is an actively exploited vulnerability, it is crucial to follow the recommendations offered in the security bulletin at this time.
A remote code execution vulnerability in the Spring Core Java framework, officially listed as CVE-2022-22965, may be exploited without authentication and has a severity level of 9.8 out of 10.
This means that any malicious actor with access to vulnerable programmes may run arbitrary instructions on a target machine and gain total control of it.
Because the Spring Framework is so widely used for Java app development, security experts are concerned about large-scale attacks using the Spring4Shell vulnerability.
To make matters worse, a working proof-of-concept (PoC) exploit was leaked on GitHub even before a security update had become available, raising the chances of malicious exploitation and “surprise” attacks.
Impact and remediation
The critical flaw impacts Spring MVC and Spring WebFlux apps running on JDK 9+. The exploit requires the app to run on Tomcat as a WAR deployment, although the exact limitations are still under investigation.
The applications’ corrected versions are as follows:
Spring Framework 5.3.18 and Spring Framework 5.2.20 are two versions of the Spring Framework.
2.5.12 Spring Boot
2.6.6 Spring Boot (soon to be released)
While the investigation is still ongoing, VMWare has analysed its product portfolio and found that the following products are affected:
Versions 2.10 through 2.13 of the VMware Tanzu Application Service for VMs
Versions 2.8 through 2.9 of VMware Tanzu Operations Manager
Versions 1.11 through 1.13 of VMware Tanzu Kubernetes Grid Integrated Edition
Security patches for the first two products have already been released, with point releases covering several version branches, while a permanent repair for VMware Tanzu Kubernetes Grid Integrated Edition is still in the process.
VMWare has given workaround instructions for certain installations in order to assist administrators in temporarily securing their systems until the fixes are released.
VMWare has determined that the Spring4Shell exploitation in TKGI is sophisticated, thus the mitigating advice and future security update are offered for maximum customer trust and to minimize false positives.
Nonetheless, to guarantee that your deployments are safe from opportunist threat actors, the offered official security advice should be followed without fail and without delay.