VMware Says 3 Tanzu Products Affected by Spring4Shell Vulnerability


We’re excited to bring Transform 2022 back in person on July 19 and virtually July 20 – August 3. Join AI and data leaders for insightful conversations and exciting networking opportunities. Learn more about Transform 2022

VMware announced on Saturday that three Tanzu products are “affected” by the remote code execution (RCE) vulnerability in Spring Core, known as Spring4Shell.

The company said in an advisory that the three affected products are VMware Tanzu Application Service for VMs, VMware Tanzu Operations Manager and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).

“A malicious actor with network access to an affected VMware product could exploit this issue to gain full control over the target system,” VMware said in the advisory.

As per the advisory, patches are now available for Tanzu Application Service for VMs (versions 2.11 and later), Tanzu Application Service (version 2.10) and Tanzu Operations Manager (versions 2.8 and later).

At the time of writing, VMware’s advisory says patches are pending for the affected versions of TKGI, which are versions 1.11 and above.

Details about the vulnerability known as Spring4Shell were leaked Tuesday, and the open source vulnerability was acknowledged Thursday by VMware-owned Spring.

The RCE vulnerability (CVE-2022-22965) affects JDK 9 or later and has several additional requirements for it to be exploited, including that the application run on Apache Tomcat, Spring said in his blog post on Thursday.

All organizations using the popular Java framework Spring have been urged to patch regardless of whether they believe their applications are vulnerable.

Critical Vulnerability

Now VMware says its Tanzu application platform is also affected by the Spring4Shell vulnerability. The vulnerability has been given a CVSSv3 severity rating of 9.8, making it a “critical” vulnerability.

In addition to details about the affected versions of the affected Tanzu products and about patches, the VMware advisory includes links to workarounds for the issue for Tanzu Application Service for VMs and TKGI.

“At the time of this publication, VMware has reviewed its product portfolio and determined that the products identified in this advisory are affected,” the company said in its advisory. “VMware continues to investigate this vulnerability and will update the advisory if changes occur.”

While Spring4Shell is considered a “generic” vulnerability — with the potential for additional exploits — the best advice is that all Spring users should patch if possible, experts have told VentureBeat.

But even with the worst-case scenario for Spring4Shell, it’s highly unlikely it will become as big of an issue as the Log4Shell vulnerability, which affected widely used Apache Log4j software, experts said.

VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more about membership.

This post VMware Says 3 Tanzu Products Affected by Spring4Shell Vulnerability

was original published at “https://venturebeat.com/2022/04/02/vmware-says-3-tanzu-products-impacted-by-spring4shell-vulnerability/”

No Comment

Leave a reply

Your email address will not be published. Required fields are marked *