VMware says 3 Tanzu products impacted by Spring4Shell vulnerability
We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – August 3. Join AI and data leaders for insightful talks and exciting networking opportunities. Learn more about Transform 2022
VMware disclosed on Saturday that three Tanzu products are “impacted” by the remote code execution (RCE) vulnerability in Spring Core known as Spring4Shell.
The company said in an advisory that the three affected products are VMware Tanzu Application Service for VMs, VMware Tanzu Operations Manager and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).
“A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system,” VMware said in the advisory.
Patches are now available for Tanzu Application Service for VMs (versions 2.11 and above), Tanzu Application Service (version 2.10) and Tanzu Operations Manager (versions 2.8 and above), according to the advisory.
As of this writing, VMware’s advisory says patches are pending for affected versions of TKGI, which are versions 1.11 and above.
Details on the vulnerability that came to be known as Spring4Shell leaked on Tuesday, and the open source vulnerability was acknowledged by VMware-owned Spring on Thursday.
The RCE vulnerability (CVE-2022-22965) affects JDK 9 or higher and has several additional requirements for it to be exploited, including that the application runs on Apache Tomcat, Spring said in its blog post Thursday.
All organizations that use the popular Java framework Spring have been urged to patch, regardless of whether they believe their applications to be vulnerable.
Now, VMware says that its Tanzu application platform is impacted by the Spring4Shell vulnerability, as well. The vulnerability has received a CVSSv3 severity rating of 9.8, making it a “critical” flaw.
Along with the details on the affected versions of the impacted Tanzu products and on patches, the VMware advisory includes links to workarounds for the issue for Tanzu Application Service for VMs and TKGI.
“At the time of this publication, VMware has reviewed its product portfolio and found that the products listed in this advisory are affected,” the company said in its advisory. “VMware continues to investigate this vulnerability, and will update the advisory should any changes evolve.”
While Spring4Shell is considered a “general” vulnerability — with a potential for additional exploits — the best advice is that all Spring users should patch if possible, experts have told VentureBeat.
However, even with the worst-case scenario for Spring4Shell, it is highly unlikely to become as large of an issue as the Log4Shell vulnerability, which affected the widely used Apache Log4j software, experts have said.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.
0 Technology Way Americas Group Technology Basic Hr Compliance & Technology Blast Technology Vs Tms Bmw Twinpower Technology Explained California Institute Of Technology Film Computer Technology Background Wallpaper Crosspointe Technology Group Csia 310 Siem Technology David Zhou Technology Dynapack International Technology Corp. Emulsion Technology Companies Erie Institiute Of Technology College Honeywell Technology Abn How Has Technology Harmed Society Ihb603b Built In Bluetooth Technology Information Technology Integration Information Technology System Administrator Certificate Julie Grush Technology Lauran Technology Corp Nj Massachusetts Institute Of Technology Area Minghe Technology Tang Shan Napa Nepa Innovative Technology Pregnancy Latest Technology Printer Technology Cartoons Professional Technology Use R Certificate In Automotive Technology Regulations Environmental Bank Information Technology Sciecne And Technology Entry Program Science And Technology Speech Seagate Technology Cusip Shenyang Ocean Technology Co.Ltd Sintec Optronics Technology Pte Ltd Sixth Wave Technology Sni Technology Westover Tx Southington Schools Technology Department Stone Technology Company Student Centered Technology Strategies Examples Sunrise Instruments Technology Inc. Universities That Specialize In Technology University Technology Office Asu Email Us Bea State Technology Exports Uwb Ultra Wide Band Technology Vanderbilt Computer Technology Program W3hat Is Induction Technology Wearable Technology Healthcare Emr Wearable Technology Speed Hpw To Web Technology Jobs Jacksonville Nc Will Socialized Medicine Disincentivize Technology Wuhan Easy Space Information Technology