CVE-2022-22965
CRITICALCVSS 9.8/10Actively ExploitedEPSS 99.68%
Last modified
CVE-2022-22965 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. CISA has confirmed active exploitation in the wild. EPSS estimates a 99.68% chance of exploitation in the next 30 days.
Description
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by .
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Vmware | Spring Framework | < 5.2.20 | — |
| Vmware | Spring Framework | >= 5.3.0, < 5.3.18 | — |
| Cisco | Cx Cloud Agent | < 2.1.0 | — |
| Oracle | Communications Cloud Native Core Automated Test Suite | 1.9.0 | — |
| Oracle | Communications Cloud Native Core Automated Test Suite | 22.1.0 | — |
| Oracle | Communications Cloud Native Core Console | 1.9.0 | — |
| Oracle | Communications Cloud Native Core Console | 22.1.0 | — |
| Oracle | Communications Cloud Native Core Network Exposure Function | 22.1.0 | — |
| Oracle | Communications Cloud Native Core Network Function Cloud Native Environment | 1.10.0 | — |
| Oracle | Communications Cloud Native Core Network Function Cloud Native Environment | 22.1.0 | — |
| Oracle | Communications Cloud Native Core Network Repository Function | 1.15.0 | — |
| Oracle | Communications Cloud Native Core Network Repository Function | 22.1.0 | — |
| Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.8.0 | — |
| Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.15.0 | — |
| Oracle | Communications Cloud Native Core Network Slice Selection Function | 22.1.0 | — |
| Oracle | Communications Cloud Native Core Policy | 1.15.0 | — |
| Oracle | Communications Cloud Native Core Policy | 22.1.0 | — |
| Oracle | Communications Cloud Native Core Security Edge Protection Proxy | 1.7.0 | — |
| Oracle | Communications Cloud Native Core Security Edge Protection Proxy | 22.1.0 | — |
| Oracle | Communications Cloud Native Core Unified Data Repository | 1.15.0 | — |
| Oracle | Communications Cloud Native Core Unified Data Repository | 22.1.0 | — |
| Oracle | Communications Policy Management | 12.6.0.0.0 | — |
| Oracle | Financial Services Analytical Applications Infrastructure | 8.1.1 | — |
| Oracle | Financial Services Analytical Applications Infrastructure | 8.1.2.0 | — |
| Oracle | Financial Services Behavior Detection Platform | 8.1.1.0 | — |
| Oracle | Financial Services Behavior Detection Platform | 8.1.1.1 | — |
| Oracle | Financial Services Behavior Detection Platform | 8.1.2.0 | — |
| Oracle | Financial Services Enterprise Case Management | 8.1.1.0 | — |
| Oracle | Financial Services Enterprise Case Management | 8.1.1.1 | — |
| Oracle | Financial Services Enterprise Case Management | 8.1.2.0 | — |
| Oracle | Mysql Enterprise Monitor | < 8.0.29 | — |
| Oracle | Product Lifecycle Analytics | 3.6.1 | — |
| Oracle | Retail Xstore Point Of Service | 20.0.1 | — |
| Oracle | Retail Xstore Point Of Service | 21.0.0 | — |
| Oracle | Sd-Wan Edge | 9.0 | — |
| Oracle | Sd-Wan Edge | 9.1 | — |
| Siemens | Operation Scheduler | < 2.0.4 | — |
| Siemens | Sipass Integrated | 2.80 | — |
| Siemens | Sipass Integrated | 2.85 | — |
| Siemens | Siveillance Identity | 1.5 | — |
| Siemens | Siveillance Identity | 1.6 | — |
| Veritas | Access Appliance | 7.4.3 | — |
| Veritas | Access Appliance | 7.4.3.100 | — |
| Veritas | Access Appliance | 7.4.3.200 | — |
| Veritas | Flex Appliance | 1.3 | — |
| Veritas | Flex Appliance | 2.0 | — |
| Veritas | Flex Appliance | 2.0.1 | — |
| Veritas | Flex Appliance | 2.0.2 | — |
| Veritas | Flex Appliance | 2.1 | — |
| Veritas | Netbackup Flex Scale Appliance | 2.1 | — |
Showing 50 of 83 affected configurations. See NVD for the full list.
References
- http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.htmlExploit, Third Party Advisory, VDB Entry
- http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.htmlThird Party Advisory, VDB Entry
- https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdfPatch, Third Party Advisory
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005Third Party Advisory
- https://tanzu.vmware.com/security/cve-2022-22965Mitigation, Vendor Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.htmlExploit, Third Party Advisory, VDB Entry
- http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.htmlThird Party Advisory, VDB Entry
- https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdfPatch, Third Party Advisory
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005Third Party Advisory
- https://tanzu.vmware.com/security/cve-2022-22965Mitigation, Vendor Advisory
- https://www.kb.cert.org/vuls/id/970766US Government Resource
- https://www.oracle.com/security-alerts/cpuapr2022.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22965US Government Resource
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2022-22965?
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
How severe is CVE-2022-22965?
CVE-2022-22965 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 99.68% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
How do I fix CVE-2022-22965?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2022-22965?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST