Spring4Shell RCE vulnerability [CVE-2022-22965] - All you need to know

Spring4Shell RCE vulnerability [CVE-2022-22965] - All you need to know

About the vulnerability:

Tracked by CVE-2022-22965, the Spring4Shell is a zero-day vulnerability arising in the Spring Core Framework.

CVE ID
Description 
Impact
CVE-2022-22965
Remote Code Execution
Zero-day

* The CVE-2022-22965 has been published.
** Currently, we don't support patching/mitigation for this vulnerability.


As per the Spring Blog:

 

"The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it."

Am I affected:

We are glad to announce that none of ManageEngine's UEMS applications are affected by the zero-day vulnerability.

Further Updates:

The ManageEngine team is constantly analyzing the vulnerability details. Any further updates will be added to this forum post.

 

Cheers,

The ManageEngine Team

 

References:





                  New to ADSelfService Plus?