Please take this survey to help us learn more about how you use third party tools. Your input is greatly appreciated!

Vertica Security Bulletin - Spring4Shell Vulnerability CVE-2022-22965

VertiguyVertiguy Administrator
edited April 18 in General Discussion

Security Bulletin - Spring4Shell Vulnerability CVE-2022-22965
Potential Security Impact: Remote Code Execution
VULNERABILITY SUMMARY
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code
execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR
deployment.
If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the
exploit.
These are the prerequisites for the exploit:
• JDK 9 or higher
• Apache Tomcat as the Servlet container
• Packaged as WAR
• spring-webmvc or spring-webflux dependency
Affected Vertica Micro Focus Products and Versions
Spring Framework
• 5.3.0 to 5.3.17
• 5.2.0 to 5.2.19
• Older, unsupported versions are also affected
CVE References: CVE-2022-22965
CVSS Version 3.1 Metrics:
Reference V3.1 Vector V3.1 Base Score
CVE-2022-22965 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8
RESOLUTION:
Vertica Server
Vertica Server and associated components are not impacted by this vulnerability.
Vertica Accelerator
Vertica Accelerator is not impacted by this vulnerability.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file

Can't find what you're looking for? Search the Vertica Documentation, Knowledge Base, or Blog for more information.