Symantec Security Advisory for Spring Framework CVE-2022-22965
20427
20 October 2022
01 April 2022
CLOSED
CRITICAL
Summary
Symantec is investigating CVE-2022-22965, aka Spring4Shell, which is an RCE vulnerability in the Spring Framework. When exploited, the vulnerability allows an unauthenticated attacker to execute arbitrary code on the target system.
Affected Product(s)
The following products and product versions are affected.
Symantec Endpoint Protection Manager | ||
CVE | Affected Version(s) | Remediation |
CVE-2022-22965 | 14.3 RU3 and earlier. | Upgrade to 14.3 RU4 and run LiveUpdate to download Symantec Endpoint Protection Manager API 14.3 RU4 content revision 04/01/2022 r16 or newer. |
Data Center Security Manager | ||
CVE | Affected Version(s) | Remediation |
CVE-2022-22965 | 6.9.1 and earlier. | Apply the 6.9.1 b532 Server Update (Server_DCS691_b532.zip) available on the Support Downloads portal. |
Critical System Protection | ||
CVE | Affected Version(s) | Remediation |
CVE-2022-22965 | 8.0.2 and earlier. | Apply the 8.0.2 b81 Server Update (SCSP_8.0.2_Server_Refresh.zip) available on the Support Downloads portal. |
Threat Defense for Active Directory | ||
CVE | Affected Version(s) | Remediation |
CVE-2022-22965 | 3.6.2.5 and earlier. | Upgrade to 3.6.2.6, available on the Support Downloads portal. |
Additional Product Information
The following products are not vulnerable:
Advanced Secure Gateway (ASG)
BCAAA
Cloud Workload Assurance (CWA)
Cloud Workload Protection (CWP)
Cloud Workload Protection for Storage (CWP:S)
CloudSOC Cloud Access Security Broker (CASB)
Content Analysis
Critical System Protection (CSP)
Data Loss Prevention (DLP)
Ghost Solution Suite (GSS)
HSM Agent
Industrial Control System Protection (ICSP)
Information Centric Analytics (ICA)
Information Centric Tagging (ICT)
Integrated Cyber Defense Exchange (ICDx)
Integrated Secure Gateway (ISG)
IT Analytics (ITA)
IT Management Suite
Layer7 API Developer Portal
Layer7 API Developer Portal SaaS
Layer7 API Gateway
Layer7 Live API Creator
LiveUpdate Administrator (LUA)
Management Center (MC)
Mirror Gateway
PacketShaper (PS) S-Series
PolicyCenter (PC) S-Series
ProxySG
Reporter
Secure Access Cloud (SAC)
Security Analytics (SA)
SSL Visibility (SSLV)
Symantec Advanced Authentication
Symantec Control Compliance Suite (CCS)
Symantec Directory
Symantec Endpoint Detection and Response (EDR) On-premise
Symantec Endpoint Encryption (SEE)
Symantec Endpoint Protection (SEP) Agent
Symantec Endpoint Protection (SEP) for Mobile
Symantec Identity Governance and Administration
Symantec Insight for Private Clouds
Symantec Mail Security for Microsoft Exchange (SMSMSE)
Symantec Messaging Gateway (SMG)
Symantec PGP Solutions
Symantec Privileged Access Manager
Symantec Privileged Access Manager Server Control
Symantec Privileged Identity Manager
Symantec Protection Engine (SPE)
Symantec Protection for SharePoint Servers (SPSS)
Symantec SiteMinder (CA Single Sign-on)
Symantec VIP
Symantec VIP Authentication Hub (separate from Symantec VIP)
Threat Defense for Active Directory (TDAD)
Web Isolation (WI)
Web Security Services (WSS)
Symantec Protection Bulletins
Multiple Symantec products can detect and provide protection against attacks exploiting CVE-2022-22965 in customer environments. Refer to the following publications for more information:
- Symantec Protection Bulletin: https://www.broadcom.com/support/security-center/protection-bulletin#blta69615250a6a88b8_en-us
Issue Details
CVE-2022-22965 | |
Severity / CVSS v3.1: | Critical / 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
References: | NVD: CVE-2022-22965 |
Impact: | Remote code execution (RCE) |
Description: | A request binding flaw in the Spring Framework allows a remote unauthenticated attacker to send malicious HTTP requests and execute arbitrary code on the target system. Thise vulnerability impacts Spring MVC and Spring WebFlux applications running on Java 9+. |
References
- Spring Framework CVE-2022-22965 - https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
- CVE-2022-22965: Spring Framework RCE via Data Binding on JDK9+ - https://tanzu.vmware.com/security/cve-2022-22965
Revisions
2022-05-03 11:30 PT - Threat Defense for Active Directory is affected. Remediation actions updated.
2022-04-29 01:30 PT - Critical System Protection is affected. Remediation actions updated.
2022-04-28 11:00 PT - Cloud Workload Assurance and IT Analytics are not vulnerable.
2022-04-12 03:30 PT - Symantec Endpoint Protection Manager and Data Center Security Manager are affected. Remediation actions updated.
2022-04-08 09:30 PT - Web Security Services is not vulnerable.
2022-04-07 07:30 PT - Content Analysis is not vulnerable.
2022-04-06 11:00 PT - HSM Agent is not vulnerable.
2022-04-06 10:50 PT - BCAAA is not vulnerable.
2022-04-05 08:30 PT - Industrial Control System Protection is not vulnerable.
2022-04-05 08:00 PT - Integrated Cyber Defense Exchange is not vulnerable.
2022-04-04 03:00 PT - Symantec Endpoint Protection for Mobile is not vulnerable.
2022-04-04 10:40 PT - Symantec Insight for Private Clouds is not vulnerable.
2022-04-01 02:40 PT - Initial Release