Vulnerability Statement
CVE-2022-22965, CVE-2022-22963
2022-04-01
Security Overview
Upon receiving reports regarding these vulnerabilities, the DTEN Security team began an investigation to determine any potential impacts on our system. At this time, DTEN has determined that none of its systems have been compromised by this attack, and no intrusion has occurred.
DTEN’s layered defense includes technologies and controls to identify and/or prevent these types of threats, including assessing vulnerabilities and applying appropriate protection and detection control updates.
At-A-Glance Summary
| Product /Type: | Threat/ Type: | Severity/DTEN Impact | Attacks on DTEN | Fix Available? |
|
Spring Core/ framework |
Spring4Shell /bug - allows unauthenticated execution of arbitrary code |
High/ DTEN is not impacted (DTEN uses later version (jdk8) which |
None |
Yes Not needed for |
|
Spring Cloud SpringBoot middleware |
SPEL expression injection /allows remote command execution |
High/ DTEN is not impacted - (does not use |
None |
Yes Not needed |
Vulnerability Scope & Details
CVE-2022-22965
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-22965
Spring4Shell is a bug in Spring Core, a popular application framework that allows software developers to quickly and easily develop Java applications with enterprise-level features. These applications can then be deployed on servers, such as Apache Tomcat, as stand-alone packages with all the required dependencies.
The bug allows an unauthenticated attacker to execute arbitrary code on a vulnerable system.
In its vulnerability report, Spring Core itself stated that for the “specific exploit” to work, an application must meet the following prerequisites:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency
Products affected by CVE-2022-22965
- None
CVE-2022-22963:
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-22963
Spring Cloud Function is a Serverless middleware (FAAS) developed by SpringBoot that supports SpEL-based dynamic routing of functions. When Spring Cloud Function has dynamic routing functionRouter enabled and the HTTP request header includes the spring.cloud.function.routing-expression parameter, it is vulnerable to SPEL expression injection, which can be used by attackers to perform remote command execution.
Products affected by CVE-2022-22963:
- None
Vulnerability Assessment Result
DTEN has determined that none of its systems have been compromised by this attack, and no intrusion has occurred.
If you have additional questions or need to contact DTEN Support, please refer to this DTEN Knowledge Base article for more details: HERE.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article