| Back | Main view

Spring remote code execution vulnerabilities (CVE-2022-22963, CVE-2022-22965) does not affect IMiS ARChive servers

Product:IMiS/ARChive
Release:All
Date:04/11/2022

Case: Critical vulnerabilities which allows remote code execution were recently discovered in Spring framework. IMiS ARChive servers are not affected because they do not use Spring framework.

Description:

Two critical vulnerabilities, CVE-2022-22963 and CVE-2022-22965 were recently discovered in Spring framework, which allows an unauthenticated attacker to execute arbitrary code on the target system.

CVE-2022-22963: Vulnerability allows an attacker to execute arbitrary code on server-side by using Sprint expression language (SpEL) in Spring Cloud Function via unvalidated HTTP header.

CVE-2022-22965: Vulnerability allows an attacker to send a malicious request to Spring Core (Spring MVC and Spring WebFlux), bypassing CVE-2010-1622 to gain restricted functionality within JVM.

Spring framework is not used by IMiS ARChive servers and therefore they are not affected by CVE-2022-22963 and CVE-2022-22965.

Related Documents:

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
https://tanzu.vmware.com/security/cve-2022-22965
https://github.com/lunasec-io/Spring4Shell-POC
https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
https://access.redhat.com/security/vulnerabilities/RHSB-2022-003
https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/
https://www.praetorian.com/blog/spring-core-jdk9-rce/
https://tanzu.vmware.com/security/cve-2022-22963
https://www.akamai.com/blog/security/spring-core-spring4shell-zero-day/_jcr_content
https://www.akamai.com/blog/security/spring-cloud-function
https://spring.io/projects/spring-cloud-function
https://access.redhat.com/security/cve/CVE-2010-1622
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1622
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965

| Back | Main view

Copyright © Imaging Systems Ltd, 2024