Summary

Symantec is investigating CVE-2022-22965, aka Spring4Shell, which is an RCE vulnerability in the Spring Framework. When exploited, the vulnerability allows an unauthenticated attacker to execute arbitrary code on the target system.

Affected Product(s)

The following products and product versions are affected.

Additional Product Information

The following products are not vulnerable:

Advanced Secure Gateway (ASG)
BCAAA
Cloud Workload Assurance (CWA)
Cloud Workload Protection (CWP)
Cloud Workload Protection for Storage (CWP:S)
CloudSOC Cloud Access Security Broker (CASB)
Content Analysis
Critical System Protection (CSP)
Data Loss Prevention (DLP)
Ghost Solution Suite (GSS)
HSM Agent
Industrial Control System Protection (ICSP)
Information Centric Analytics (ICA)
Information Centric Tagging (ICT)
Integrated Cyber Defense Exchange (ICDx)
Integrated Secure Gateway (ISG)
IT Analytics (ITA)
IT Management Suite
Layer7 API Developer Portal
Layer7 API Developer Portal SaaS
Layer7 API Gateway
Layer7 Live API Creator
LiveUpdate Administrator (LUA)
Management Center (MC)
Mirror Gateway
PacketShaper (PS) S-Series
PolicyCenter (PC) S-Series
ProxySG
Reporter
Secure Access Cloud (SAC)
Security Analytics (SA)
SSL Visibility (SSLV)
Symantec Advanced Authentication
Symantec Control Compliance Suite (CCS) 
Symantec Directory 
Symantec Endpoint Detection and Response (EDR) On-premise
Symantec Endpoint Encryption (SEE)
Symantec Endpoint Protection (SEP) Agent
Symantec Endpoint Protection (SEP) for Mobile
Symantec Identity Governance and Administration
Symantec Insight for Private Clouds
Symantec Mail Security for Microsoft Exchange (SMSMSE)
Symantec Messaging Gateway (SMG)
Symantec PGP Solutions
Symantec Privileged Access Manager
Symantec Privileged Access Manager Server Control
Symantec Privileged Identity Manager
Symantec Protection Engine (SPE)
Symantec Protection for SharePoint Servers (SPSS)
Symantec SiteMinder (CA Single Sign-on)
Symantec VIP
Symantec VIP Authentication Hub (separate from Symantec VIP)
Threat Defense for Active Directory (TDAD)
Web Isolation (WI)
Web Security Services (WSS)

Symantec Protection Bulletins

Multiple Symantec products can detect and provide protection against attacks exploiting CVE-2022-22965 in customer environments. Refer to the following publications for more information:

• Symantec Protection Bulletin: https://www.broadcom.com/support/security-center/protection-bulletin#blta69615250a6a88b8_en-us 
  
  

Issue Details

References

• Spring Framework CVE-2022-22965 - https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement 
• CVE-2022-22965: Spring Framework RCE via Data Binding on JDK9+ - https://tanzu.vmware.com/security/cve-2022-22965 

Revisions

2022-05-03 11:30 PT - Threat Defense for Active Directory is affected. Remediation actions updated.
2022-04-29 01:30 PT - Critical System Protection is affected. Remediation actions updated.
2022-04-28 11:00 PT - Cloud Workload Assurance and IT Analytics are not vulnerable.
2022-04-12 03:30 PT - Symantec Endpoint Protection Manager and Data Center Security Manager are affected. Remediation actions updated.
2022-04-08 09:30 PT - Web Security Services is not vulnerable.
2022-04-07 07:30 PT - Content Analysis is not vulnerable.
2022-04-06 11:00 PT - HSM Agent is not vulnerable.
2022-04-06 10:50 PT - BCAAA is not vulnerable.
2022-04-05 08:30 PT - Industrial Control System Protection is not vulnerable.
2022-04-05 08:00 PT - Integrated Cyber Defense Exchange is not vulnerable.
2022-04-04 03:00 PT - Symantec Endpoint Protection for Mobile is not vulnerable.
2022-04-04 10:40 PT - Symantec Insight for Private Clouds is not vulnerable.
2022-04-01 02:40 PT - Initial Release