Vertica Security Bulletin - Spring4Shell Vulnerability CVE-2022-22965

Vertiguy

Security Bulletin - Spring4Shell Vulnerability CVE-2022-22965
Potential Security Impact: Remote Code Execution
VULNERABILITY SUMMARY
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code
execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR
deployment.
If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the
exploit.
These are the prerequisites for the exploit:
• JDK 9 or higher
• Apache Tomcat as the Servlet container
• Packaged as WAR
• spring-webmvc or spring-webflux dependency
Affected Vertica Micro Focus Products and Versions
Spring Framework
• 5.3.0 to 5.3.17
• 5.2.0 to 5.2.19
• Older, unsupported versions are also affected
CVE References: CVE-2022-22965
CVSS Version 3.1 Metrics:
Reference V3.1 Vector V3.1 Base Score
CVE-2022-22965 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8
RESOLUTION:
Vertica Server
Vertica Server and associated components are not impacted by this vulnerability.
Vertica Accelerator
Vertica Accelerator is not impacted by this vulnerability.