VMware released updates to fix the Spring4Shell vulnerability in multiple products

VMware released security updates to address the critical remote code execution vulnerability known as Spring4Shell.

VMware has published security updates to address the critical remote code execution vulnerability known as Spring4Shell (CVE-2022-22965). According to the virtualization giant, the flaw impacts many of its cloud computing and virtualization products.

The Spring4Shell issue was disclosed last week, it resides in the Spring Core Java framework. An unauthenticated, remote attacker could trigger the vulnerability to execute arbitrary code on the target system. The framework is currently maintained by Spring.io which is a subsidiary of VMware.

The Spring Framework is an application framework and inversion of control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE (Enterprise Edition) platform.

The vulnerability was disclosed after a Chinese security researcher published a proof-of-concept (PoC) exploit before deleting its account (helloexp).

Now VMware published a list of affected products, the company also released workarounds for those products that have yet to receive a security fix for the Spring4Shell.

“Multiple products impacted by remote code execution vulnerability (CVE-2022-22965).” reads the advisory published by VMware. “A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system.”

The flaw impacts VMware Tanzu Application Service for VMs, VMware Tanzu Operations Manager, and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).

VMware announced that it is still investigating this flaw and will update the advisory should any changes evolve.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Spring4shell)

The post VMware released updates to fix the Spring4Shell vulnerability in multiple products appeared first on Security Affairs.

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source