CVE-2022-22965 vulnerability in VMware and Other Products
Published on April 1, 2022
Known Exploited Vulnerability
This Spring Framework JDK 9+ Remote Code Execution Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
The following remediation steps are recommended / required by April 25, 2022: Apply updates per vendor instructions.
Vulnerability Analysis
CVE-2022-22965 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2022-22965 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2022-22965
You can be notified by stack.watch whenever vulnerabilities like CVE-2022-22965 are published in these products:
What versions are vulnerable to CVE-2022-22965?
- VMware Spring Framework Version 5.3.0 Fixed in Version 5.3.18
- VMware Spring Framework Fixed in Version 5.2.20
- Cisco Cx Cloud Agent Fixed in Version 2.1.0
- Oracle Sd Wan Edge Version 9.0
- Oracle Retail Xstore Point Of Service Version 20.0.1
- Oracle Communications Cloud Native Core Security Edge Protection Proxy Version 1.7.0
- Oracle Financial Services Analytical Applications Infrastructure Version 8.1.1
- Oracle Sd Wan Edge Version 9.1
- Siemens Siveillance Identity Version 1.6
- Siemens Siveillance Identity Version 1.5
- Siemens Sipass Integrated Version 2.85
- Siemens Sipass Integrated Version 2.80
- Oracle Product Lifecycle Analytics Version 3.6.1
- Oracle Financial Services Enterprise Case Management Version 8.1.1.0
- Oracle Financial Services Enterprise Case Management Version 8.1.1.1
- Oracle Financial Services Behavior Detection Platform Version 8.1.2.0
- Oracle Financial Services Behavior Detection Platform Version 8.1.1.1
- Oracle Financial Services Behavior Detection Platform Version 8.1.1.0
- Oracle Communications Cloud Native Core Console Version 1.9.0
- Oracle Communications Cloud Native Core Policy Version 1.15.0
- Oracle Communications Cloud Native Core Unified Data Repository Version 1.15.0
- Oracle Communications Cloud Native Core Unified Data Repository Version 22.1.0
- Oracle Communications Cloud Native Core Security Edge Protection Proxy Version 22.1.0
- Oracle Communications Cloud Native Core Policy Version 22.1.0
- Oracle Communications Cloud Native Core Network Slice Selection Function Version 1.8.0
- Oracle Communications Cloud Native Core Network Slice Selection Function Version 22.1.0
- Oracle Communications Cloud Native Core Network Repository Function Version 1.15.0
- Oracle Communications Cloud Native Core Network Repository Function Version 22.1.0
- Oracle Communications Cloud Native Core Network Function Cloud Native Environment Version 22.1.0
- Oracle Communications Cloud Native Core Network Function Cloud Native Environment Version 1.10.0
- Oracle Communications Cloud Native Core Network Exposure Function Version 22.1.0
- Oracle Communications Cloud Native Core Console Version 22.1.0
- Oracle Communications Cloud Native Core Automated Test Suite Version 22.1.0
- Oracle Communications Cloud Native Core Automated Test Suite Version 1.9.0
- Oracle Retail Xstore Point Of Service Version 21.0.0
- Oracle Financial Services Enterprise Case Management Version 8.1.2.0
- Oracle Financial Services Analytical Applications Infrastructure Version 8.1.2.0
- Oracle Communications Policy Management Version 12.6.0.0.0
- Oracle Mysql Enterprise Monitor Fixed in Version 8.0.29
- Oracle Communications Cloud Native Core Network Slice Selection Function Version 1.15.0
- Siemens Operation Scheduler Fixed in Version 2.0.4
- Veritas Access Appliance Version 7.4.3
- Veritas Access Appliance Version 7.4.3.100
- Veritas Access Appliance Version 7.4.3.200
- Veritas Netbackup Virtual Appliance Version 4.0.0.1 maintenance_release1
- Veritas Netbackup Virtual Appliance Version 4.0.0.1 maintenance_release2
- Veritas Netbackup Virtual Appliance Version 4.0.0.1 maintenance_release3
- Veritas Netbackup Virtual Appliance Version 4.1.0.1 maintenance_release1
- Veritas Netbackup Virtual Appliance Version 4.1.0.1 maintenance_release2
- Veritas Netbackup Appliance Version 4.0.0.1 maintenance_release1
- Veritas Netbackup Appliance Version 4.0.0.1 maintenance_release2
- Veritas Netbackup Appliance Version 4.0.0.1 maintenance_release3
- Veritas Netbackup Appliance Version 4.1.0.1 maintenance_release1
- Veritas Netbackup Appliance Version 4.1.0.1 maintenance_release2
- Veritas Netbackup Virtual Appliance Version 4.0
- Veritas Netbackup Virtual Appliance Version 4.1
- Veritas Netbackup Appliance Version 4.0
- Veritas Netbackup Appliance Version 4.1
- Veritas Flex Appliance Version 2.0
- Veritas Flex Appliance Version 2.0.1
- Veritas Flex Appliance Version 2.0.2
- Veritas Flex Appliance Version 2.1
- Veritas Flex Appliance Version 1.3
- Veritas Access Appliance Version 7.4.3
- Veritas Access Appliance Version 7.4.3.100
- Veritas Access Appliance Version 7.4.3.200
- Veritas Netbackup Flex Scale Appliance Version 2.1
- Veritas Netbackup Flex Scale Appliance Version 3.0
- Siemens Siveillance Identity Version 1.6
- Siemens Siveillance Identity Version 1.5
- Siemens Sipass Integrated Version 2.85
- Siemens Sipass Integrated Version 2.80
- Siemens Operation Scheduler Fixed in Version 2.0.4
- Siemens Sinec Network Management System Fixed in Version 1.0.3
- Siemens Simatic Speech Assistant Machines Fixed in Version 1.2.1
- Oracle Weblogic Server Version 12.2.1.3.0
- Oracle Retail Customer Management Segmentation Foundation Version 17.0
- Oracle Retail Customer Management Segmentation Foundation Version 18.0
- Oracle Weblogic Server Version 12.2.1.4.0
- Oracle Weblogic Server Version 14.1.1.0.0
- Oracle Retail Customer Management Segmentation Foundation Version 19.0
- Oracle Retail Merchandising System Version 16.0.3
- Oracle Retail Financial Integration Version 16.0.3
- Oracle Retail Integration Bus Version 16.0.3
- Oracle Communications Unified Inventory Management Version 7.4.1
- Oracle Retail Merchandising System Version 19.0.1
- Oracle Retail Integration Bus Version 14.1.3.2
- Oracle Retail Financial Integration Version 14.1.3.2
- Oracle Retail Integration Bus Version 15.0.3.1
- Oracle Retail Financial Integration Version 15.0.3.1
- Oracle Commerce Platform Version 11.3.2
- Oracle Communications Unified Inventory Management Version 7.4.2
- Oracle Communications Unified Inventory Management Version 7.5.0
- Oracle Retail Integration Bus Version 19.0.1
- Oracle Retail Financial Integration Version 19.0.1
- Oracle Retail Bulk Data Integration Version 16.0.3
- Oracle Communications Cloud Native Core Binding Support Function Version 22.1.3