CVE Description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
List of Micro Focus Products Not Impacted by CVE-2022-22965 Spring4Shell and Security Bulletins for Impacted Products
Are you aware of this new vulnerability?
Yes, and we have a robust, dedicated, full-time threat intelligence team with a Micro Focus-wide view, that is constantly reviewing new reports of vulnerabilities, threats, and compromises for possible impact to our information assets.
Have you scanned and/or currently scanning for CVE-2022-22965 and all related compromises/vulnerabilities?
Micro Focus implements a Secure Development Lifecycle that includes Supply Chain Security, 3rd Party Component Manifest and 3rd Party Component Monitoring. Using these formal practices, we help ensure that 3rd party components are sourced from trusted repositories, scanned and tested, free of known CVEs, and signed to ensure authenticity. New vulnerabilities are scanned and tracked to ensure closure. Additionally, Micro Focus has scheduled rolling scans using a variety of tools to detect a wide variety of vulnerabilities. Vendor rule sets/signatures and code are typically scrutinized after a new vulnerability announcement. We continue to get updates from our security vendors and internal security community on the latest scanning techniques for CVE-2022-22965 and other vulnerabilities. We also take a risk-based approach to prioritizing which patches get applied first.
Have you implemented or are you currently implementing patches and mitigation measures for the CVE-2022-22965 and all related vulnerabilities on targeted or potentially impacted systems?
We are prioritizing CVE-2022-22965 alongside other patch efforts. We rank potential patches according to CVSS scoring, and also our own enhanced scoring system that takes additional data points into account. Configuration changes or patch installations require Quality Assurance analysis and testing prior to deployment to production systems to prevent unexpected service interruptions.
Have you identified that there are no indications of compromise related to CVE-2022-22965 or any related vulnerabilities on the targeted or potentially impacted systems?
At present, we are not aware of any current indications of compromise related to CVE-2022-22965 or related vulnerabilities.
Has any data currently in your possession as part of the agreed provision of services to the customer been improperly accessed or disclosed as result of CVE-2022-22965 or any related vulnerabilities?
At present, we are not aware of any improper access or disclosure of customer data related to CVE-2022-22965 or any related vulnerabilities.