|
Back
|
Main view
Spring remote code execution vulnerabilities (CVE-2022-22963, CVE-2022-22965) does not affect IMiS ARChive servers
Product:
IMiS/ARChive
Release:
All
Date:
04/11/2022
Case:
Critical vulnerabilities which allows remote code execution were recently discovered in Spring framework.
IMiS ARChive servers are not affected because they do not use Spring framework.
Description:
Two critical vulnerabilities, CVE-2022-22963 and CVE-2022-22965 were recently discovered in Spring framework,
which allows an unauthenticated attacker to execute arbitrary code on the target system.
CVE-2022-22963:
Vulnerability allows an attacker to execute arbitrary code on server-side by using Sprint expression language (SpEL) in
Spring Cloud Function via unvalidated HTTP header.
CVE-2022-22965:
Vulnerability allows an attacker to send a malicious request to Spring Core (Spring MVC and Spring WebFlux), bypassing
CVE-2010-1622 to gain restricted functionality within JVM.
Spring framework is not used by IMiS ARChive servers and therefore they are not affected by CVE-2022-22963 and CVE-2022-22965.
Related Documents:
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
https://tanzu.vmware.com/security/cve-2022-22965
https://github.com/lunasec-io/Spring4Shell-POC
https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
https://access.redhat.com/security/vulnerabilities/RHSB-2022-003
https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/
https://www.praetorian.com/blog/spring-core-jdk9-rce/
https://tanzu.vmware.com/security/cve-2022-22963
https://www.akamai.com/blog/security/spring-core-spring4shell-zero-day/_jcr_content
https://www.akamai.com/blog/security/spring-cloud-function
https://spring.io/projects/spring-cloud-function
https://access.redhat.com/security/cve/CVE-2010-1622
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1622
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
|
Back
|
Main view
Copyright © Imaging Systems Ltd, 2024