Last week, security researchers found a critical vulnerability in the popular Java framework, Spring. Many security researchers over the past week have released Proof-of-Concept (POC) exploits for the vulnerability in various forms of the Spring framework, accelerating the need for a patch. Spring4Shell, officially tracked as CVE-2022-22965, is a remote code execution vulnerability with a severity score of 9.8 out of 10. This means that anyone with access to a vulnerable application could execute arbitrary code on the system housing that application.
Specifically, the critical vulnerability affects Spring MVC and Spring WebFlux applications running JDK version 9 and above and is actively being exploited on these applications. The exploit for the vulnerability requires that the application be running on Tomcat as a WAR deployment. VMware has published security updates for this vulnerability for the following applications:
- Spring Framework 5.3.18 and Spring Framework 5.2.20
- Spring Boot 2.5.12
- Spring Boot 2.6.6 (not yet released)
VMware has also reviewed its own product portfolio, and in the ongoing investigation have indicated the following impacted applications:
- VMware Tanzu Application Service for VMs: versions 2.20-2.13 (patch released)
- VMware Tanzu Operations Manager: versions 2.8-2.9 (patch released)
- VMware Tanzu Kubernetes Grid Integrated Edition (TKGI): versions 1.11-1.13 (no patch released)
Updating to the patched versions of the Spring framework is critical. Due to the widespread deployment of the Spring framework, large scale attacks may take advantage of unpatched systems.
For users of VMware Tanzu Kubernetes Grid Integrated Edition (TKGI), VMware has released instructions to assist in the temporary hardening of affected systems until a patch is released. The Spring4Shell exploitation within TKGI is complex, and as such the mitigation advice is designed to provide maximum customer confidence in security, as well as reduced false positives. The VMware guidance can be found here: