Issued: Thursday, 7 April, 2022 |
Last Revision: Thursday, 7 April, 2022 |
Vendor: |
Product: |
Severity Level: |
Security updates have been released for the Spring4Shell remote code execution vulnerability, which affects several VMware cloud computing and virtualization products. This problem is caused by a critical vulnerability in the Spring Core Java framework, tracked as CVE-2022-22965.
Vulnerability is publicly disclosed, actively exploited, and can be used to attack affected products without authentication.
This vulnerability may be exploited by a malicious actor, who has access to the network for an impacted VMware product, to take full control of the target system.
CVE/Vulnerability | Description | CVSS3.0 Score |
CVE-2022-22965 | Remote Code Execution Vulnerability | 9.8 |
Table 1: Vulnerability details
CVE/Vulnerability | Affected Product(s) | Affected Versions | Fixed Versions |
CVE-2022-22965 | VMware Tanzu Application Service for VMs
| 2.11 | 2.11.17 |
2.12 | 2.12.10 | ||
2.13 | 2.13.1 | ||
2.10 | 2.10.29 | ||
CVE-2022-22965 | VMware Tanzu Operations Manager
| 2.8 | 2.8.20 |
2.9 | 2.9.35 | ||
2.10 | 2.10.35 | ||
CVE-2022-22965 | VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) | 1.11 | Patch pending |
1.12 | Patch pending | ||
1.13 | Patch pending |
Table 2: Vulnerable versions
Updates have already been made available for the first two products in the “Affected Products” table, covering multiple versions with point releases, but VMware Tanzu Kubernetes Grid Integrated (TKGI) Edition has yet to receive a permanent fix.
In order to temporarily secure VMware Tanzu Kubernetes Grid Integrated (TKGI) Edition, VMware has released workaround instructions, please refer link in refrences.