Download PDF
Download page Security Advisory: CVE-2022-22965 in Spring Framework.
Security Advisory: CVE-2022-22965 in Spring Framework
| Advisory ID: | appd-sa-java-spring4shell-rce | CVE-2022-22965 CWE-120 |
First Published: | 2022 April 04 18:00 PDT | ||
Last Updated: | 2022 April 13 11:00 PDT | ||
Version 1.6: | Final | ||
Workarounds: | None | ||
CVSS Score: | Base 9.8 |
Summary
On March 31, 2022, the following critical vulnerability in the Spring Framework affecting Spring MVC and Spring WebFlux applications running on JDK 9+ was released:
- CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+Spring Framework RCE via Data Binding on JDK 9+
For a description of this vulnerability, see VMware Spring Framework Security Vulnerability Report.
This advisory is intended to address products used by AppDynamics' customers on their premises and which may require customers to take action.
The AppDynamics’ SaaS platform is continually monitored and improved. Should there be any impact from this vulnerability to our SaaS customers, we will communicate directly with those customers through standard support channels.
This advisory will be updated as more information is available, and is available at the following link: https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+CVE-2022-22965+in+Spring+Framework
For questions about other Cisco products, see the Cisco Public Advisory.
Affected Products
Products Confirmed Not Vulnerable
AppDynamics has confirmed that the following products are not affected by this vulnerability:
.NET Agent
- ABAP Agent (SAP ABAP Monitoring)
- Analytics Agent
- Apache Web Server Agent
Browser Real User Monitoring (BRUM)
- C/C++ SDK Agent
- Cluster Agent
- Config Exporter Tool
- Database Agent
- Enterprise Console / Controller (On-Premises)
- EUM GeoServer
- EUM Server
- Events Service (On-Premises)
- Events Service (SaaS)
- Go Language SDK Agent
- IBM Integration Bus Agent (IIB) Agent
- IoT Device SDKs (C/C++, Java, REST API)
- Java Agent
- Machine Agent
- Machine Agent Extensions
- Mobile RUM Agent
- Network Agent
- Node.js Agent
- PHP Agent
- Python Agent
- Ruby Agent
- ServiceNow Utility (AppDynamics CMDB Integration)
- Synthetic Server
Synthetic Private Agent (Linux-based)
Synthetic Private Agent (Windows-based)
Workarounds
No workarounds are available for this vulnerability.
Exploitation and Public Announcements
Cisco's Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.
Source
This vulnerability was publicly disclosed by VMware on March 31, 2022.
URL
https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+CVE-2022-22965+in+Spring+Framework
Revision History
| Version | Description | Section | Status | Date |
|---|---|---|---|---|
| 1.0 | Initial public release. | — | Interim | 2022-APR-04 18:00 PDT |
| 1.1 | Updated products not vulnerable. | Affected Products | Interim | 2022-APR-05 12:00 PDT |
| 1.2 | Updated products not vulnerable. | Affected Products | Interim | 2022-APR-05 22:00 PDT |
| 1.3 | Updated products not vulnerable. | Affected Products | Interim | 2022-APR-06 15:00 PDT |
| 1.4 | Updated products not vulnerable. | Affected Products | Interim | 2022-APR-07 10:00 PDT |
| 1.5 | Updated products not vulnerable. | Affected Products | Interim | 2022-APR-08 13:00 PDT |
| 1.6 | Updated products not vulnerable. | Affected Products | Interim | 2022-APR-13 11:00 PDT |
LEGAL DISCLAIMER
ANY SOFTWARE OR RELEASES, INCLUDING BUT NOT LIMITED TO PATCHES, UPGRADES, AND HOTFIXES, MENTIONED IN THIS SECURITY ADVISORY IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. APPDYNAMICS DISCLAIMS ALL REPRESENTATIONS OR WARRANTIES, EITHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT THERETO, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL APPDYNAMICS, ITS AFFILIATES, OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS, OR SPECIAL DAMAGES, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY TO YOU.
THE INFORMATION PROVIDED IN THIS SECURITY ADVISORY IS FOR INFORMATIONAL PURPOSES ONLY AND IN NO WAY SHALL BE CONSTRUED AS AN ALTERATION OF APPDYNAMICS’ EXISTING CONTRACTUAL OBLIGATIONS WITH ITS END USERS REGARDING VULNERABILITY MANAGEMENT OR OTHERWISE. END USERS ARE ENCOURAGED TO READ THE REQUIREMENTS SET FORTH HEREIN AND PERFORM THEIR OWN ANALYSIS OF THE APPLICABILITY AND IMPACT OF THE INFORMATION WITH RESPECT TO THEIR SPECIFIC CONFIGURATION AND USE CASE OF THE APPDYNAMICS SOFTWARE.