VMware recently confirmed vulnerabilities in some VMware Tanzu developer tools. The Spring4Shell vulnerabilities were classified as critical. In addition to a workaround, the first updates are now available. Spring4Shell is a critical remote code execution vulnerability and is present in several VMware cloud computing and virtualization products. VMware products affected by Spring4Shell include the VMware Tanzu Application Service and Spring Boot.
A list of VMware products is available on the: Business support website available and added at the end of this post. In cases where no fix is available, VMware has released a workaround to resolve the issue. VMware recommends that companies using the affected solutions act now, as Spring4Shell is an actively exploited vulnerability.
Vulnerability in the Spring Core Java framework
Spring4Shell, officially listed as CVE-2022-22965, is a vulnerability in the Spring Core Java Framework that can be exploited without authentication and has a severity rating of 9.8 out of 10. This means that any malicious actor with access to vulnerable applications could use arbitrary commands and take full control of a target system.
Proof of concept published
Due to the widespread use of the Spring Framework for developing Java applications, security analysts are already concerned about large-scale attacks that will exploit the Spring4Shell vulnerability. To make matters worse, a working proof-of-concept (PoC) exploit was released on GitHub before a security update was available. This, of course, increases the chances of malicious exploitation.
The affected versions of the applications are:
- Spring Framework 5.3.18 and Spring Framework 5.2.20
- Ferry Boot 2.5.12
- Spring Boot 2.6.6 (coming soon)
- VMware Tanzu Application Service for VMs – Versions 2.10 to 2.13
- VMware Tanzu Operations Manager – versions 2.8 to 2.9
- VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) – versions 1.11 to 1.13
Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.