VMware says 3 Tanzu products are affected by Spring4Shell vulnerability

We’re excited to bring back Transform 2022 in person on July 19 and virtually from July 20 through August 3. Join leaders in AI and data for in-depth discussions and exciting networking opportunities. Learn more about Transformer 2022

VMware revealed on Saturday that three Tanzu products are “affected” by the remote code execution (RCE) vulnerability in Spring Core known as Spring4Shell.

The company said in an advisory that the three affected products are VMware Tanzu Application Service for VMs, VMware Tanzu Operations Manager, and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).

“A malicious actor with network access to an impacted VMware product can exploit this issue to gain full control of the target system,” VMware said in the advisory.

Fixes are now available for Tanzu Application Service for VMs (versions 2.11 and above), Tanzu Application Service (version 2.10), and Tanzu Operations Manager (versions 2.8 and above), according to the advisory.

At the time of this writing, VMware’s advisory indicates that fixes are pending for the affected versions of TKGI, which are 1.11 and above.

Details of the vulnerability known as Spring4Shell were disclosed on Tuesday, and the open-source vulnerability was acknowledged by VMware-owned Spring on Thursday.

The RCE vulnerability (CVE-2022-22965) affects JDK 9 or higher and has several additional requirements for it to be exploited, including that the application run on Apache Tomcat, Spring said in its blog post Thursday.

All organizations that use the popular Java Spring framework have been urged to patch whether or not they believe their applications are vulnerable.

Critical Vulnerability

Now, VMware claims that its Tanzu application platform is also affected by the Spring4Shell vulnerability. The vulnerability was given a CVSSv3 severity rating of 9.8, making it a “critical” flaw.

In addition to details on affected versions of affected Tanzu products and fixes, the VMware advisory includes links to workarounds for the Tanzu Application Service for VMs and TKGI issue.

“At the time of this publication, VMware has reviewed its product portfolio and has found that the products listed in this advisory are affected,” the company said in its advisory. “VMware continues to investigate this vulnerability and will update the advisory if any changes evolve.”

While Spring4Shell is considered a “general” vulnerability – with potential for additional exploits – the best advice is that all Spring users should patch if possible, experts told VentureBeat.

However, even with the worst-case scenario for Spring4Shell, it is highly unlikely to become as big an issue as the Log4Shell vulnerability, which affected widely used Apache Log4j software, experts said.

VentureBeat’s mission is to be a digital public square for technical decision makers to learn about transformative enterprise technology and conduct transactions. Learn more about membership.

Source link

Steven L. Nielsen