Summary
CVE-2022-22965 (Spring4Shell, SpringShell) is an RCE (Remote Code Execution) vulnerability in the Spring Framework, that uses data-binding functionality, where an attacker can execute carefully-crafted code on a remote web server.
For an application to be vulnerable to Spring4Shell, it must meet the following requirements as outlined in the Spring advisory:
- use JDK 9 or higher
- have Apache Tomcat as the servlet container
- be packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
- use spring-webmvc or spring-webflux dependency
- use Spring framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 or older
CVE-2022-22963 is a vulnerability in the routing functionality of Spring Cloud Function that allows a user to provide a specially-crafted SpEL as a routing-expression. This may result in RCE and access to local resources.
A vulnerable configuration consists of:
- Spring Cloud Function 3.1.6, 3.2.2, and older
No TeamQuest products meet the above conditions and are, therefore, deemed safe from these Spring-related vulnerabilities.
Mitigation
TeamQuest has updated to the latest Spring version, where applicable, for our next available releases, even though we are not (known to be) affected. Upgrade to the latest version of the TeamQuest products.
Resolution
You will be notified when the new releases are available. Please contact Customer Support with any questions.
Last Modified On:
No, open a new Support Case
