VMware patches RCE Spring4Shell vulnerability on a wide range of products

The list of products affected by Spring4Shell is posted by VMware in the security warning that the company has just posted. For unpatched products, VMware also provides a temporary fix.

At this point, users should follow the security guidelines because Spring4Shell is being actively exploited by hackers.

Spring4Shell is a remote code execution (RCE) vulnerability tracked under code CVE-2022-22965. This vulnerability resides in the Spring Core Java framework and can be exploited without authentication, with a severity rating of 9.8 out of 10.

Since Spring Framework is widely deployed for Java application development, security analysts are concerned about large-scale attacks targeting the Spring4Shell vulnerability.

VMware patches RCE Spring4Shell vulnerability on a wide range of products Picture 1

Worse still, this exploit (PoC) method was shared on GitHub before the patches were released. Although it was immediately removed, this exploit method was shared everywhere on the internet.

This critical vulnerability affects Spring MVC and Spring WebFlux applications running on JDK 9+. To exploit requires the application to run on Tomcat as a WAR implementation although the exact limitations are still under investigation.

Below are the affected VMware products:

1. VMware Tanzu Application Service for VMs - versions 2.10 to 2.13.
2. VMware Tanzu Operation Manager - version 2.8 to 2.9.
3. VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) - versions 1.11 to 1.13.

If you are using products with the above versions, you should update immediately to ensure that all vulnerabilities are fixed.

Jessica Tanner

Update 05 April 2022