VMware says 3 Tanzu products affected by Spring4Shell vulnerability
We’re excited to bring Transform 2022 live back on July 19 and virtually from July 20 to August 3. Join AI and data leaders for insightful talks. and interesting networking opportunities. Learn more about Transform 2022
VMware revealed on Saturday that three Tanzu products were “affected” by a remote code execution (RCE) vulnerability. in Spring Core called Spring4Shell.
The company said in an advice that the three affected products are VMware Tanzu Application Services for Virtual Machines, VMware Tanzu Operations Manager, and VMware Tanzu Kubernetes Mesh Integration Edition (TKGI).
“A malicious actor with network access to an affected VMware product could exploit this issue to gain full control of the target system,” VMware said in the advisory.
Patches are currently available for Tanzu Application Services for Virtual Machines (version 2.11 or later), Tanzu Application Services (version 2.10), and Tanzu Operations Manager (version 2.8 or later), according to give advice.
As of this writing, VMware advisories say patches are pending for affected versions of TKGI, which are version 1.11 or later.
Details of the so-called Spring4Shell vulnerability were leaked on Tuesday, and the open-source vulnerability was acknowledged by VMware-owned Spring on Thursday.
RCE Vulnerability (CVE-2022-22965) affects JDK 9 or higher and has some additional requirements for it to be exploited, including having the application run on Apache Tomcat, Spring said in blog post Thursday.
All organizations using the popular Java framework Spring have been asked to patch the bug, regardless of whether they believe their applications are vulnerable.
Currently, VMware says that its Tanzu application platform is also affected by the Spring4Shell vulnerability. The vulnerability received a CVSSv3 severity rating of 9.8, making it a “severe” vulnerability.
Along with details about affected versions of affected Tanzu products and patches, VMware advice Includes links to alternative solutions for the problem with Tanzu App Service for VM and TKGI.
“At the time of this publication, VMware has reviewed its product portfolio and found that the products listed in this advisory are all affected,” the company said in its advisory. “VMware continues to investigate this vulnerability and will update the advice if any changes are made.”
Although Spring4Shell is considered a “generic” vulnerability – potentially for further exploitation – the best advice is that all Spring users should patch if possibleexperts told VentureBeat.
However, even with the worst case scenario for Spring4Shell, it is still very not sure become as big as a release as if Log4Shell Experts say the vulnerability affects the widely used Apache Log4j software.
VentureBeat’s mission is a digital city square for technical decision-makers to gain knowledge of transformative enterprise technology and transactions. Learn more about membership.