Security Alert for Spring4Shell CVE-2022-22965 - Security Advisory TWA SEC 3657

TCPWave Security
Date: April 12, 2022
Product

All versions of TCPWave DDI Products (DNS, DHCP, IP Address Management)

Overview

A critical vulnerability was reported to VMware impacting Java Development Kit (JDK) 9.0 or later, Spring Framework v5.3.0 to v5.3.17, v5.2.0 to v5.2.19, and older versions, Apache Tomcat as the servlet container, packaged as a traditional Java web archive (WAR), Tomcat has spring-webmvc or spring-webflux dependencies. It is disclosed under CVE-2022-22965 and states that the vulnerability allows the malicious actor to provide access to the class loader. It also allows injecting the arbitrary code into the system and updating class loader attributes.

Impact

As per the TCPWave Information Security Team, we confirm that TCPWave DDI products are not vulnerable to Spring4Shell CVE-2022-22965.

Workaround

No workaround is required.

Solution

No action is required.

Contact

Customers with questions on this alert can contact TCPWave Support at [email protected].

TCPWave Security