CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇬🇧 English

CVE-2022-22965

CVSS 9.8v3.1pub. 2022-04-01upd. 2025-10-30

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Cisco Cx Cloud Agent

    APP
    Cisco
    < 2.1.0
  • Oracle Commerce Platform

    APP
    Oracle
    11.3.2
  • Oracle Communications Cloud Native Core Automated Test Suite

    APP
    Oracle
    1.9.022.1.0
  • Oracle Communications Cloud Native Core Binding Support Function

    APP
    Oracle
    22.1.3
  • Oracle Communications Cloud Native Core Console

    APP
    Oracle
    1.9.022.1.0
  • Oracle Communications Cloud Native Core Network Exposure Function

    APP
    Oracle
    22.1.0
  • Oracle Communications Cloud Native Core Network Function Cloud Native Environment

    APP
    Oracle
    1.10.022.1.0
  • Oracle Communications Cloud Native Core Network Repository Function

    APP
    Oracle
    1.15.022.1.0
  • Oracle Communications Cloud Native Core Network Slice Selection Function

    APP
    Oracle
    1.15.01.8.022.1.0
  • Oracle Communications Cloud Native Core Policy

    APP
    Oracle
    1.15.022.1.0
  • Oracle Communications Cloud Native Core Security Edge Protection Proxy

    APP
    Oracle
    1.7.022.1.0
  • Oracle Communications Cloud Native Core Unified Data Repository

    APP
    Oracle
    1.15.022.1.0
  • Oracle Communications Policy Management

    APP
    Oracle
    12.6.0.0.0
  • Oracle Communications Unified Inventory Management

    APP
    Oracle
    7.4.17.4.27.5.0
  • Oracle Financial Services Analytical Applications Infrastructure

    APP
    Oracle
    8.1.18.1.2.0
  • Oracle Financial Services Behavior Detection Platform

    APP
    Oracle
    8.1.1.08.1.1.18.1.2.0
  • Oracle Financial Services Enterprise Case Management

    APP
    Oracle
    8.1.1.08.1.1.18.1.2.0
  • Oracle JDK

    APP
    Oracle
    ≥ 9
  • Oracle MySQL Enterprise Monitor

    APP
    Oracle
    < 8.0.29
  • Oracle Product Lifecycle Analytics

    APP
    Oracle
    3.6.1
  • Oracle Retail Bulk Data Integration

    APP
    Oracle
    16.0.3
  • Oracle Retail Customer Management And Segmentation Foundation

    APP
    Oracle
    17.018.019.0
  • Oracle Retail Financial Integration

    APP
    Oracle
    14.1.3.215.0.3.116.0.319.0.1
  • Oracle Retail Integration Bus

    APP
    Oracle
    14.1.3.215.0.3.116.0.319.0.1
  • Oracle Retail Merchandising System

    APP
    Oracle
    16.0.319.0.1
  • Oracle Retail Xstore Point Of Service

    APP
    Oracle
    20.0.121.0.0
  • Oracle Sd Wan Edge

    APP
    Oracle
    9.09.1
  • Oracle Weblogic Server

    APP
    Oracle
    12.2.1.3.012.2.1.4.014.1.1.0.0
  • Siemens Operation Scheduler

    APP
    Siemens
    < 2.0.4
  • Siemens Simatic Speech Assistant For Machines

    APP
    Siemens
    < 1.2.1

CISA KEV — szczegółyi

Dostawcai
VMware
Produkti
Spring Framework
Data dodania do KEVi
4 kwietnia 2022
Termin remediation (USA)i
25 kwietnia 2022(po terminie)
Wymagana akcja (CISA)i

Zastosuj aktualizacje zgodnie z instrukcjami producenta.

tłumaczenie AI
Pokaż oryginał (EN)

Apply updates per vendor instructions.

Opis CISAi

Aplikacja Spring MVC lub Spring WebFlux uruchomiona na JDK 9+ może być podatna na remote code execution (RCE) poprzez data binding.

tłumaczenie AI
Pokaż oryginał (EN)

Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.

🔴
NATYCHMIASTOWE DZIAŁANIE
Aktywnie wykorzystywane w atakach (CISA KEV). Załataj jak najszybciej.
CISA DEADLINE: 25 kwietnia 2022
Tagi
RCE
CWE
Referencje

Powiązane podatności

CVE-2022-22963CRITICAL9.8⚠ KEVten sam produkt

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionalit...

CVE-2022-22947CRITICAL10.0⚠ KEVten sam produkt

In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection ...

CVE-2021-45046CRITICAL9.0⚠ KEVten sam produkt

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-defau...

CVE-2021-44228CRITICAL10.0⚠ KEVten sam produkt

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features u...

CVE-2020-17530CRITICAL9.8⚠ KEVten sam produkt

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution....