Spring4Shell RCE vulnerability [CVE-2022-22965] - All you need to know
About the vulnerability:
Tracked by CVE-2022-22965, the Spring4Shell is a zero-day vulnerability arising in the Spring Core Framework.
CVE ID | Description | Impact |
CVE-2022-22965 | Remote Code Execution | Zero-day |
** Currently, we don't support patching/mitigation for this vulnerability.
As per the Spring Blog:
"The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it."
Am I affected:
We are glad to announce that none of ManageEngine's UEMS applications are affected by the zero-day vulnerability.
Further Updates:
The ManageEngine team is constantly analyzing the vulnerability details. Any further updates will be added to this forum post.
Cheers,
The ManageEngine Team
References: