Symantec Security Advisory for Spring Framework CVE-2022-22965

20427

10 May 2022

01 April 2022

CLOSED

CRITICAL

Summary

Symantec is investigating CVE-2022-22965, aka Spring4Shell, which is an RCE vulnerability in the Spring Framework. When exploited, the vulnerability allows an unauthenticated attacker to execute arbitrary code on the target system.

Affected Product(s)

The following products and product versions are affected.

Symantec Endpoint Protection Manager
CVE Affected Version(s) Remediation
CVE-2022-22965 14.3 RU3 and earlier. Upgrade to 14.3 RU4 and run LiveUpdate to download Symantec Endpoint Protection Manager API 14.3 RU4 content revision 04/01/2022 r16 or newer.

 

Data Center Security Manager
CVE Affected Version(s) Remediation
CVE-2022-22965 6.9.1 and earlier. Apply the 6.9.1 b532 Server Update (Server_DCS691_b532.zip) available on the Support Downloads portal.

 

Critical System Protection
CVE Affected Version(s) Remediation
CVE-2022-22965 8.0.2 and earlier. Apply the 8.0.2 b81 Server Update (SCSP_8.0.2_Server_Refresh.zip) available on the Support Downloads portal.

 

Threat Defense for Active Directory
CVE Affected Version(s) Remediation
CVE-2022-22965 3.6.2.5 and earlier. Upgrade to 3.6.2.6, available on the Support Downloads portal.

 

Additional Product Information

The following products are not vulnerable:

Advanced Secure Gateway (ASG)
BCAAA

Cloud Workload Assurance (CWA)
Cloud Workload Protection (CWP)
Cloud Workload Protection for Storage (CWP:S)
CloudSOC Cloud Access Security Broker (CASB)
Content Analysis
Critical System Protection (CSP)
Data Loss Prevention (DLP)
Ghost Solution Suite (GSS)
HSM Agent
Industrial Control System Protection (ICSP)
Information Centric Analytics (ICA)
Information Centric Tagging (ICT)
Integrated Cyber Defense Exchange (ICDx)
Integrated Secure Gateway (ISG)
IT Analytics (ITA)
IT Management Suite
Layer7 API Developer Portal
Layer7 API Developer Portal SaaS
Layer7 API Gateway
Layer7 Live API Creator
LiveUpdate Administrator (LUA)
Management Center (MC)
Mirror Gateway
PacketShaper (PS) S-Series
PolicyCenter (PC) S-Series
ProxySG
Reporter
Secure Access Cloud (SAC)
Security Analytics (SA)
SSL Visibility (SSLV)
Symantec Advanced Authentication
Symantec Control Compliance Suite (CCS) 
Symantec Directory 
Symantec Endpoint Detection and Response (EDR) On-premise
Symantec Endpoint Encryption (SEE)
Symantec Endpoint Protection (SEP) Agent
Symantec Endpoint Protection (SEP) for Mobile
Symantec Identity Governance and Administration
Symantec Insight for Private Clouds
Symantec Mail Security for Microsoft Exchange (SMSMSE)
Symantec Messaging Gateway (SMG)
Symantec PGP Solutions
Symantec Privileged Access Manager
Symantec Privileged Access Manager Server Control
Symantec Privileged Identity Manager
Symantec Protection Engine (SPE)
Symantec Protection for SharePoint Servers (SPSS)
Symantec SiteMinder (CA Single Sign-on)
Symantec VIP
Symantec VIP Authentication Hub (separate from Symantec VIP)
Threat Defense for Active Directory (TDAD)
Web Isolation (WI)
Web Security Services (WSS)

Symantec Protection Bulletins

Multiple Symantec products can detect and provide protection against attacks exploiting CVE-2022-22965 in customer environments. Refer to the following publications for more information:

Issue Details

CVE-2022-22965
Severity / CVSS v3.1: Critical / 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
References: NVD: CVE-2022-22965
Impact: Remote code execution (RCE)
Description: A request binding flaw in the Spring Framework allows a remote unauthenticated attacker to send malicious HTTP requests and execute arbitrary code on the target system. Thise vulnerability impacts Spring MVC and Spring WebFlux applications running on Java 9+.

 

References


Revisions

2022-05-03 11:30 PT - Threat Defense for Active Directory is affected. Remediation actions updated.
2022-04-29 01:30 PT - Critical System Protection is affected. Remediation actions updated.
2022-04-28 11:00 PT - Cloud Workload Assurance and IT Analytics are not vulnerable.
2022-04-12 03:30 PT - Symantec Endpoint Protection Manager and Data Center Security Manager are affected. Remediation actions updated.
2022-04-08 09:30 PT - Web Security Services is not vulnerable.
2022-04-07 07:30 PT - Content Analysis is not vulnerable.
2022-04-06 11:00 PT - HSM Agent is not vulnerable.
2022-04-06 10:50 PT - BCAAA is not vulnerable.
2022-04-05 08:30 PT - Industrial Control System Protection is not vulnerable.
2022-04-05 08:00 PT - Integrated Cyber Defense Exchange is not vulnerable.
2022-04-04 03:00 PT - Symantec Endpoint Protection for Mobile is not vulnerable.
2022-04-04 10:40 PT - Symantec Insight for Private Clouds is not vulnerable.
2022-04-01 02:40 PT - Initial Release