Broadcom security and engineering teams are reviewing our information technology environment and product portfolio to identify and remediate any potential exposures to the recently disclosed critical vulnerability in applications using the VMware Spring Framework.

According to a vulnerability report released by VMware on March 31, 2022, a Spring Framework application running on Java Development Kit version 9 or later may be vulnerable to remote code execution attacks and follow-on exploitation under certain conditions. This vulnerability has been assigned CVE-2022-22965 and is known as “Spring4Shell.”

Corporate Infrastructure and Services: Broadcom’s Global Technology Organization is conducting software asset reviews to identify any potentially affected applications. Any necessary mitigations, including upgrades to patched versions of the Spring Framework, will be implemented in accordance with vendor recommendations. At this time, we have no indication of compromise related to this vulnerability. 

Broadcom Products: Engineers from our product teams are assessing all software that incorporates any version of the vulnerable Spring Framework. More specific information (e.g., information about necessary patches/hotfixes, workarounds, or other required customer actions) is available within the following security advisories from our product divisions, which are regularly updated:

• Agile Operations Security Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/20441

• Mainframe Software Security Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/20425

• Symantec Security Advisory:  https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/20427

• Arcot Security Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/ProductAdvisories/0/20346

• Brocade Security Advisory: https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1769

Additional Insights:For additional expert insights into the threats posed by the Spring4Shell vulnerability -- including information about how our Symantec security products can mitigate exposure to these threats -- please visit the Symantec Threat Intelligence blog. 

As a founding member of the U.S. Department of Homeland Security's Joint Cyber Defense Collaborative, Broadcom Software partners with the Cybersecurity and Infrastructure Security Agency (CISA) and other industry leaders to share actionable intelligence and insights into exploitation activities relating to this and other critical security vulnerabilities.