VMware says 3 Tanzu products impacted by Spring4Shell vulnerability

VMware disclosed on Saturday that three Tanzu products are “impacted” by the remote code execution (RCE) vulnerability in Spring Core known as Spring4Shell.

The company said in an advisory that the three affected products are VMware Tanzu Application Service for VMs, VMware Tanzu Operations Manager and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).

“A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system,” VMware said in the advisory.

Patches are now available for Tanzu Application Service for VMs (versions 2.11 and above), Tanzu Application Service (version 2.10) and Tanzu Operations Manager (versions 2.8 and above), according to the advisory.

As of this writing, VMware’s advisory says patches are pending for affected versions of TKGI, which are versions 1.11 and above.

Details on the vulnerability that came to be known as Spring4Shell leaked on Tuesday, and the open source vulnerability was acknowledged by VMware-owned Spring on Thursday.

The RCE vulnerability (CVE-2022-22965) affects JDK 9 or higher and has several additional requirements for it to be exploited, including that the application runs on Apache Tomcat, Spring said in its blog post Thursday.

All organizations that use the popular Java framework Spring have been urged to patch, regardless of whether they believe their applications to be vulnerable.

Critical vulnerability

Now, VMware says that its Tanzu application platform is impacted by the Spring4Shell vulnerability, as well. The vulnerability has received a CVSSv3 severity rating of 9.8, making it a “critical” flaw.

Along with the details on the affected versions of the impacted Tanzu products and on patches, the VMware advisory includes links to workarounds for the issue for Tanzu Application Service for VMs and TKGI.

“At the time of this publication, VMware has reviewed its product portfolio and found that the products listed in this advisory are affected,” the company said in its advisory. “VMware continues to investigate this vulnerability, and will update the advisory should any changes evolve.”

While Spring4Shell is considered a “general” vulnerability — with a potential for additional exploits — the best advice is that all Spring users should patch if possible, experts have told VentureBeat.

However, even with the worst-case scenario for Spring4Shell, it is highly unlikely to become as large of an issue as the Log4Shell vulnerability, which affected the widely used Apache Log4j software, experts have said.