Details of VAR-202203-1506

ID

VAR-202203-1506

CVE

CVE-2022-22965

TITLE

Spring Framework Code injection vulnerability

Trust: 1.2

sources: CNNVD: CNNVD-202203-2642 // CNNVD: CNNVD-202203-2514

DESCRIPTION

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. The Spring Framework insecurely handles PropertyDescriptor objects, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.CVE-2022-22965 AffectedCVE-2022-22965 Affected. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Description: A micro version update (from 1.6.4 to 1.6.5) is now available for Red Hat Camel K that includes CVE fixes in the base images, which are documented in the Release Notes document linked in the References section. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Installation instructions are available from the Fuse 7.10 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/ 4. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat Decision Manager 7.12.1 security update Advisory ID: RHSA-2022:1379-01 Product: Red Hat Decision Manager Advisory URL: https://access.redhat.com/errata/RHSA-2022:1379 Issue date: 2022-04-14 CVE Names: CVE-2022-22965 ==================================================================== 1. Summary: An update is now available for Red Hat Decision Manager. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and business optimization for solving planning problems. It automates business decisions and makes that logic available to the entire business. This asynchronous security patch is an update to Red Hat Decision Manager 7. Security Fix(es): * spring-webmvc: spring-framework: RCE via Data Binding on JDK 9+ (CVE-2022-22965) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. This release upgrades Spring to 5.3.18 and Spring Boot to 2.6.6 which fixes the Spring MVC and WebFlux jars. For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 2070348 - CVE-2022-22965 spring-framework: RCE via Data Binding on JDK 9+ 5. References: https://access.redhat.com/security/cve/CVE-2022-22965 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/security/vulnerabilities/RHSB-2022-003 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=rhdm&version=7.12.1 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYlidHNzjgjWX9erEAQhBihAApV3yXc8aEuRq9fMKL4EnxKcmHt9dgnX2 /Xsdp+isSEvWlE+TC/Ou0tptT1ZPfO3Adm/bXbsboaiq790W+aF8qHEYuA+WxtRW RY9cx4AS/QfRo+puk36QAWUSEx4WzKeU1no/5A7hezcPxIEGP+EdSX4DgDaVW9mB CZndXwiYAzLyYgVFI/y5AJP8CPZTvwFjdunOBDwqqNsKiVgFOjqHMJo/X+yus4bU aFF0BAsA0OVCrjdnWV0fUqF1iON8cbELW7JqkGobM22PZZ6ngxzTXUTbvD1QovLM Cbj2Ay7l7DHH/3v9Hqk7NLpzp/fa9Z/lQ5c+3okHu0QvanphRllsC893/KGGMXfa 7+S3iWFKV2cJ2249z01eZgX30s7rlSlFRTB9hUlitWLiYaMkWWW0iqt0+2cPkjDv zP0hy1pYCyCFLluS85FVqW/9HBItNwReuXp9Vv3JqDy8L5+DIVv4WmSYcr4LCcj2 EC5WsIjNW7G4dL0RCukt+HascGTD+huNbzsrDuln4vQJ2HG+4vmH7Cmmlr4MvpHD Bw4BW6UI8a09axvbUVi2x+w1qTTdiO9J1x4ngaFKjbvItNpT3VRB3YfLcPck1Zv6 DCEC2g11LdPnO2JR5M6t2eMsFlkfLDtqDFotVVzGLBXQWj7I5R2YK+OPrEF2dnXD Pjhf0e6lKl4=xaz4 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Description: AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. For further information, refer to the release notes linked to in the References section

Trust: 2.43

sources: NVD: CVE-2022-22965 // CERT/CC: VU#970766 // VULHUB: VHN-411825 // VULMON: CVE-2022-22965 // PACKETSTORM: 166691 // PACKETSTORM: 166706 // PACKETSTORM: 166715 // PACKETSTORM: 166731 // PACKETSTORM: 166732 // PACKETSTORM: 166874 // PACKETSTORM: 166872

AFFECTED PRODUCTS

vendor:	veritas	model:	flex appliance	scope:	eq	version:	1.3	Trust: 1.0
vendor:	vmware	model:	spring framework	scope:	lt	version:	5.2.20	Trust: 1.0
vendor:	veritas	model:	flex appliance	scope:	eq	version:	2.0.1	Trust: 1.0
vendor:	oracle	model:	communications cloud native core security edge protection proxy	scope:	eq	version:	1.7.0	Trust: 1.0
vendor:	oracle	model:	financial services analytical applications infrastructure	scope:	eq	version:	8.1.2.0	Trust: 1.0
vendor:	oracle	model:	financial services enterprise case management	scope:	eq	version:	8.1.1.1	Trust: 1.0
vendor:	oracle	model:	retail customer management and segmentation foundation	scope:	eq	version:	18.0	Trust: 1.0
vendor:	oracle	model:	retail merchandising system	scope:	eq	version:	16.0.3	Trust: 1.0
vendor:	oracle	model:	retail integration bus	scope:	eq	version:	15.0.3.1	Trust: 1.0
vendor:	oracle	model:	product lifecycle analytics	scope:	eq	version:	3.6.1	Trust: 1.0
vendor:	oracle	model:	communications unified inventory management	scope:	eq	version:	7.4.2	Trust: 1.0
vendor:	oracle	model:	communications cloud native core automated test suite	scope:	eq	version:	1.9.0	Trust: 1.0
vendor:	oracle	model:	financial services behavior detection platform	scope:	eq	version:	8.1.2.0	Trust: 1.0
vendor:	veritas	model:	netbackup appliance	scope:	eq	version:	4.1	Trust: 1.0
vendor:	veritas	model:	access appliance	scope:	eq	version:	7.4.3.200	Trust: 1.0
vendor:	veritas	model:	netbackup flex scale appliance	scope:	eq	version:	3.0	Trust: 1.0
vendor:	oracle	model:	retail integration bus	scope:	eq	version:	14.1.3.2	Trust: 1.0
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.2.1.3.0	Trust: 1.0
vendor:	oracle	model:	communications policy management	scope:	eq	version:	12.6.0.0.0	Trust: 1.0
vendor:	cisco	model:	cx cloud agent	scope:	lt	version:	2.1.0	Trust: 1.0
vendor:	oracle	model:	communications cloud native core network slice selection function	scope:	eq	version:	1.8.0	Trust: 1.0
vendor:	oracle	model:	retail bulk data integration	scope:	eq	version:	16.0.3	Trust: 1.0
vendor:	oracle	model:	sd-wan edge	scope:	eq	version:	9.0	Trust: 1.0
vendor:	siemens	model:	operation scheduler	scope:	lt	version:	2.0.4	Trust: 1.0
vendor:	veritas	model:	access appliance	scope:	eq	version:	7.4.3	Trust: 1.0
vendor:	oracle	model:	commerce platform	scope:	eq	version:	11.3.2	Trust: 1.0
vendor:	oracle	model:	retail integration bus	scope:	eq	version:	19.0.1	Trust: 1.0
vendor:	veritas	model:	flex appliance	scope:	eq	version:	2.1	Trust: 1.0
vendor:	siemens	model:	siveillance identity	scope:	eq	version:	1.6	Trust: 1.0
vendor:	oracle	model:	financial services enterprise case management	scope:	eq	version:	8.1.2.0	Trust: 1.0
vendor:	oracle	model:	communications cloud native core console	scope:	eq	version:	22.1.0	Trust: 1.0
vendor:	oracle	model:	communications cloud native core network slice selection function	scope:	eq	version:	1.15.0	Trust: 1.0
vendor:	oracle	model:	mysql enterprise monitor	scope:	lt	version:	8.0.29	Trust: 1.0
vendor:	veritas	model:	netbackup appliance	scope:	eq	version:	4.0.0.1	Trust: 1.0
vendor:	veritas	model:	netbackup appliance	scope:	eq	version:	4.0	Trust: 1.0
vendor:	oracle	model:	communications cloud native core network slice selection function	scope:	eq	version:	22.1.0	Trust: 1.0
vendor:	oracle	model:	financial services behavior detection platform	scope:	eq	version:	8.1.1.0	Trust: 1.0
vendor:	oracle	model:	financial services behavior detection platform	scope:	eq	version:	8.1.1.1	Trust: 1.0
vendor:	oracle	model:	communications cloud native core policy	scope:	eq	version:	1.15.0	Trust: 1.0
vendor:	siemens	model:	sipass integrated	scope:	eq	version:	2.85	Trust: 1.0
vendor:	oracle	model:	retail integration bus	scope:	eq	version:	16.0.3	Trust: 1.0
vendor:	siemens	model:	sinec network management system	scope:	lt	version:	1.0.3	Trust: 1.0
vendor:	oracle	model:	communications cloud native core policy	scope:	eq	version:	22.1.0	Trust: 1.0
vendor:	oracle	model:	communications unified inventory management	scope:	eq	version:	7.5.0	Trust: 1.0
vendor:	oracle	model:	communications cloud native core network function cloud native environment	scope:	eq	version:	1.10.0	Trust: 1.0
vendor:	oracle	model:	retail financial integration	scope:	eq	version:	15.0.3.1	Trust: 1.0
vendor:	oracle	model:	communications unified inventory management	scope:	eq	version:	7.4.1	Trust: 1.0
vendor:	oracle	model:	retail customer management and segmentation foundation	scope:	eq	version:	17.0	Trust: 1.0
vendor:	veritas	model:	flex appliance	scope:	eq	version:	2.0	Trust: 1.0
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.2.1.4.0	Trust: 1.0
vendor:	oracle	model:	financial services enterprise case management	scope:	eq	version:	8.1.1.0	Trust: 1.0
vendor:	veritas	model:	netbackup virtual appliance	scope:	eq	version:	4.1.0.1	Trust: 1.0
vendor:	oracle	model:	weblogic server	scope:	eq	version:	14.1.1.0.0	Trust: 1.0
vendor:	oracle	model:	retail xstore point of service	scope:	eq	version:	20.0.1	Trust: 1.0
vendor:	veritas	model:	netbackup virtual appliance	scope:	eq	version:	4.1	Trust: 1.0
vendor:	oracle	model:	communications cloud native core network repository function	scope:	eq	version:	1.15.0	Trust: 1.0
vendor:	oracle	model:	communications cloud native core automated test suite	scope:	eq	version:	22.1.0	Trust: 1.0
vendor:	oracle	model:	communications cloud native core network function cloud native environment	scope:	eq	version:	22.1.0	Trust: 1.0
vendor:	oracle	model:	communications cloud native core unified data repository	scope:	eq	version:	1.15.0	Trust: 1.0
vendor:	oracle	model:	financial services analytical applications infrastructure	scope:	eq	version:	8.1.1	Trust: 1.0
vendor:	veritas	model:	netbackup appliance	scope:	eq	version:	4.1.0.1	Trust: 1.0
vendor:	oracle	model:	retail financial integration	scope:	eq	version:	14.1.3.2	Trust: 1.0
vendor:	oracle	model:	communications cloud native core binding support function	scope:	eq	version:	22.1.3	Trust: 1.0
vendor:	oracle	model:	communications cloud native core network repository function	scope:	eq	version:	22.1.0	Trust: 1.0
vendor:	oracle	model:	communications cloud native core network exposure function	scope:	eq	version:	22.1.0	Trust: 1.0
vendor:	oracle	model:	communications cloud native core unified data repository	scope:	eq	version:	22.1.0	Trust: 1.0
vendor:	oracle	model:	retail financial integration	scope:	eq	version:	19.0.1	Trust: 1.0
vendor:	veritas	model:	netbackup flex scale appliance	scope:	eq	version:	2.1	Trust: 1.0
vendor:	vmware	model:	spring framework	scope:	gte	version:	5.3.0	Trust: 1.0
vendor:	siemens	model:	sipass integrated	scope:	eq	version:	2.80	Trust: 1.0
vendor:	oracle	model:	communications cloud native core console	scope:	eq	version:	1.9.0	Trust: 1.0
vendor:	veritas	model:	access appliance	scope:	eq	version:	7.4.3.100	Trust: 1.0
vendor:	veritas	model:	netbackup virtual appliance	scope:	eq	version:	4.0.0.1	Trust: 1.0
vendor:	veritas	model:	netbackup virtual appliance	scope:	eq	version:	4.0	Trust: 1.0
vendor:	vmware	model:	spring framework	scope:	lt	version:	5.3.18	Trust: 1.0
vendor:	siemens	model:	siveillance identity	scope:	eq	version:	1.5	Trust: 1.0
vendor:	oracle	model:	retail financial integration	scope:	eq	version:	16.0.3	Trust: 1.0
vendor:	oracle	model:	sd-wan edge	scope:	eq	version:	9.1	Trust: 1.0
vendor:	oracle	model:	retail xstore point of service	scope:	eq	version:	21.0.0	Trust: 1.0
vendor:	oracle	model:	retail merchandising system	scope:	eq	version:	19.0.1	Trust: 1.0
vendor:	veritas	model:	flex appliance	scope:	eq	version:	2.0.2	Trust: 1.0
vendor:	oracle	model:	communications cloud native core security edge protection proxy	scope:	eq	version:	22.1.0	Trust: 1.0
vendor:	oracle	model:	retail customer management and segmentation foundation	scope:	eq	version:	19.0	Trust: 1.0
vendor:	siemens	model:	simatic speech assistant for machines	scope:	lt	version:	1.2.1	Trust: 1.0

sources: NVD: CVE-2022-22965

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-22965
value:	CRITICAL
Trust: 1.0
CNNVD:	CNNVD-202203-2642
value:	CRITICAL
Trust: 0.6
CNNVD:	CNNVD-202203-2514
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-411825
value:	HIGH
Trust: 0.1
VULMON:	CVE-2022-22965
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2022-22965
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-411825
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-22965
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-411825 // VULMON: CVE-2022-22965 // CNNVD: CNNVD-202203-2642 // CNNVD: CNNVD-202203-2514 // NVD: CVE-2022-22965

PROBLEMTYPE DATA

problemtype:

CWE-94

Trust: 1.1

sources: VULHUB: VHN-411825 // NVD: CVE-2022-22965

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 166691 // CNNVD: CNNVD-202203-2514

TYPE

code injection

Trust: 1.2

sources: CNNVD: CNNVD-202203-2642 // CNNVD: CNNVD-202203-2514

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-411825

PATCH

title:	Spring Framework Fixes for code injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=187595	Trust: 0.6
title:	Red Hat: Low: Red Hat Process Automation Manager 7.12.1 security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20221378 - Security Advisory	Trust: 0.1
title:	Red Hat: Low: Red Hat Decision Manager 7.12.1 security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20221379 - Security Advisory	Trust: 0.1
title:	Red Hat: Low: Red Hat AMQ Broker 7.9.4 release and security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20221627 - Security Advisory	Trust: 0.1
title:	Red Hat: Low: Red Hat Fuse 7.10.2 release and security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20221360 - Security Advisory	Trust: 0.1
title:	Red Hat: Low: Red Hat Integration Camel-K 1.6.5 security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20221333 - Security Advisory	Trust: 0.1
title:	Red Hat: Low: Red Hat Integration Camel Extensions for Quarkus 2.2.1-1 security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20221306 - Security Advisory	Trust: 0.1
title:	Red Hat: Low: Red Hat AMQ Broker 7.8.6 release and security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20221626 - Security Advisory	Trust: 0.1
title:	IBM: Security Bulletin: IBM Cloud Pak for Business Automation is affected but not classified as vulnerable by a remote code execution in Spring Framework [CVE-2022-22965]	url:	https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=e6cbc0e97f1832a63f66e10869253ecf	Trust: 0.1
title:	Cisco: Vulnerability in Spring Framework Affecting Cisco Products: March 2022	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-java-spring-rce-Zx9GUc67	Trust: 0.1
title:	-	url:	https://github.com/coffeehb/Spring4Shell	Trust: 0.1

sources: VULMON: CVE-2022-22965 // CNNVD: CNNVD-202203-2642

EXTERNAL IDS

db:	NVD	id:	CVE-2022-22965	Trust: 3.9
db:	PACKETSTORM	id:	166713	Trust: 1.7
db:	PACKETSTORM	id:	167011	Trust: 1.7
db:	SIEMENS	id:	SSA-254054	Trust: 1.7
db:	CS-HELP	id:	SB2022040109	Trust: 1.2
db:	CS-HELP	id:	SB2022033109	Trust: 1.2
db:	CERT/CC	id:	VU#970766	Trust: 0.8
db:	PACKETSTORM	id:	166691	Trust: 0.7
db:	PACKETSTORM	id:	166732	Trust: 0.7
db:	PACKETSTORM	id:	166874	Trust: 0.7
db:	CNNVD	id:	CNNVD-202203-2642	Trust: 0.6
db:	CS-HELP	id:	SB2022060811	Trust: 0.6
db:	CS-HELP	id:	SB2022070602	Trust: 0.6
db:	CS-HELP	id:	SB2022060716	Trust: 0.6
db:	CS-HELP	id:	SB2022042734	Trust: 0.6
db:	CS-HELP	id:	SB2022042546	Trust: 0.6
db:	CS-HELP	id:	SB2022060304	Trust: 0.6
db:	CS-HELP	id:	SB2022072038	Trust: 0.6
db:	CS-HELP	id:	SB2022071213	Trust: 0.6
db:	CS-HELP	id:	SB2022052302	Trust: 0.6
db:	CS-HELP	id:	SB2022042277	Trust: 0.6
db:	CS-HELP	id:	SB2022072087	Trust: 0.6
db:	CS-HELP	id:	SB2022041951	Trust: 0.6
db:	CS-HELP	id:	SB2022042126	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.3155	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.5097	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.1844	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.1636	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.1593	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.1444.8	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.1674	Trust: 0.6
db:	ICS CERT	id:	ICSA-22-286-05	Trust: 0.6
db:	CNNVD	id:	CNNVD-202203-2514	Trust: 0.6
db:	VULHUB	id:	VHN-411825	Trust: 0.1
db:	VULMON	id:	CVE-2022-22965	Trust: 0.1
db:	PACKETSTORM	id:	166706	Trust: 0.1
db:	PACKETSTORM	id:	166715	Trust: 0.1
db:	PACKETSTORM	id:	166731	Trust: 0.1
db:	PACKETSTORM	id:	166872	Trust: 0.1

sources: CERT/CC: VU#970766 // VULHUB: VHN-411825 // VULMON: CVE-2022-22965 // PACKETSTORM: 166691 // PACKETSTORM: 166706 // PACKETSTORM: 166715 // PACKETSTORM: 166731 // PACKETSTORM: 166732 // PACKETSTORM: 166874 // PACKETSTORM: 166872 // CNNVD: CNNVD-202203-2642 // CNNVD: CNNVD-202203-2514 // NVD: CVE-2022-22965

REFERENCES

url:	https://tanzu.vmware.com/security/cve-2022-22965	Trust: 3.5
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-java-spring-rce-zx9guc67	Trust: 2.9
url:	http://packetstormsecurity.com/files/166713/spring4shell-code-execution.html	Trust: 2.3
url:	http://packetstormsecurity.com/files/167011/spring4shell-spring-framework-class-property-remote-code-execution.html	Trust: 2.3
url:	https://www.oracle.com/security-alerts/cpuapr2022.html	Trust: 2.3
url:	https://access.redhat.com/security/cve/cve-2022-22965	Trust: 1.9
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf	Trust: 1.7
url:	https://psirt.global.sonicwall.com/vuln-detail/snwlid-2022-0005	Trust: 1.7
url:	https://www.oracle.com/security-alerts/cpujul2022.html	Trust: 1.7
url:	https://www.cybersecurity-help.cz/vdb/sb2022040109	Trust: 1.2
url:	https://www.cybersecurity-help.cz/vdb/sb2022033109	Trust: 1.2
url:	cve-2022-22965	Trust: 0.8
url:	https://access.redhat.com/security/team/contact/	Trust: 0.7
url:	https://access.redhat.com/security/vulnerabilities/rhsb-2022-003	Trust: 0.7
url:	https://nvd.nist.gov/vuln/detail/cve-2022-22965	Trust: 0.7
url:	https://access.redhat.com/security/updates/classification/#low	Trust: 0.7
url:	https://bugzilla.redhat.com/):	Trust: 0.7
url:	https://listman.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.7
url:	https://www.auscert.org.au/bulletins/esb-2022.1674	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022072038	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.1593	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022042126	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-22965/	Trust: 0.6
url:	https://packetstormsecurity.com/files/166874/red-hat-security-advisory-2022-1626-01.html	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022041951	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022042546	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022060304	Trust: 0.6
url:	https://packetstormsecurity.com/files/166691/red-hat-security-advisory-2022-1306-01.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.1844	Trust: 0.6
url:	https://packetstormsecurity.com/files/166732/red-hat-security-advisory-2022-1379-01.html	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022070602	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022071213	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022072087	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022060716	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022042277	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.1444.8	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022042734	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022060811	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.5097	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-286-05	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.3155	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.1636	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022052302	Trust: 0.6
url:	https://access.redhat.com/articles/11258	Trust: 0.2
url:	https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q1	Trust: 0.2
url:	https://access.redhat.com/documentation/en-us/red_hat_amq/	Trust: 0.2
url:	https://access.redhat.com/errata/rhsa-2022:1306	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=red.hat.integration&version=2022-q1	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:1333	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=red.hat.integration&version	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=jboss.fuse&version=7.10.2	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:1360	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=rhpam&downloadtype=securitypatches&version=7.12.1	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:1378	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:1379	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=securitypatches&product=rhdm&version=7.12.1	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=jboss.amq.broker&version=7.8.6	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:1626	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:1627	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=jboss.amq.broker&version=7.9.4	Trust: 0.1

sources: CERT/CC: VU#970766 // VULHUB: VHN-411825 // PACKETSTORM: 166691 // PACKETSTORM: 166706 // PACKETSTORM: 166715 // PACKETSTORM: 166731 // PACKETSTORM: 166732 // PACKETSTORM: 166874 // PACKETSTORM: 166872 // CNNVD: CNNVD-202203-2642 // CNNVD: CNNVD-202203-2514 // NVD: CVE-2022-22965

CREDITS

This document was written by Will DormannWe have not received a statement from the vendor.

Trust: 0.8

sources: CERT/CC: VU#970766

SOURCES

db:	CERT/CC	id:	VU#970766
db:	VULHUB	id:	VHN-411825
db:	VULMON	id:	CVE-2022-22965
db:	PACKETSTORM	id:	166691
db:	PACKETSTORM	id:	166706
db:	PACKETSTORM	id:	166715
db:	PACKETSTORM	id:	166731
db:	PACKETSTORM	id:	166732
db:	PACKETSTORM	id:	166874
db:	PACKETSTORM	id:	166872
db:	CNNVD	id:	CNNVD-202203-2642
db:	CNNVD	id:	CNNVD-202203-2514
db:	NVD	id:	CVE-2022-22965

LAST UPDATE DATE

2024-11-06T20:55:49.240000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#970766	date:	2022-05-19T00:00:00
db:	VULHUB	id:	VHN-411825	date:	2023-02-09T00:00:00
db:	VULMON	id:	CVE-2022-22965	date:	2023-02-09T00:00:00
db:	CNNVD	id:	CNNVD-202203-2642	date:	2022-04-02T00:00:00
db:	CNNVD	id:	CNNVD-202203-2514	date:	2023-06-28T00:00:00
db:	NVD	id:	CVE-2022-22965	date:	2024-10-18T19:52:02.903

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#970766	date:	2022-03-31T00:00:00
db:	VULHUB	id:	VHN-411825	date:	2022-04-01T00:00:00
db:	VULMON	id:	CVE-2022-22965	date:	2022-04-01T00:00:00
db:	PACKETSTORM	id:	166691	date:	2022-04-11T17:36:49
db:	PACKETSTORM	id:	166706	date:	2022-04-13T15:01:19
db:	PACKETSTORM	id:	166715	date:	2022-04-13T22:20:55
db:	PACKETSTORM	id:	166731	date:	2022-04-15T15:24:03
db:	PACKETSTORM	id:	166732	date:	2022-04-15T15:24:12
db:	PACKETSTORM	id:	166874	date:	2022-04-27T18:19:24
db:	PACKETSTORM	id:	166872	date:	2022-04-27T18:18:11
db:	CNNVD	id:	CNNVD-202203-2642	date:	2022-03-30T00:00:00
db:	CNNVD	id:	CNNVD-202203-2514	date:	2022-03-30T00:00:00
db:	NVD	id:	CVE-2022-22965	date:	2022-04-01T23:15:13.870