tanzu.vmware.com Open in urlscan Pro
2a02:26f0:fb:5a6::2ef  Public Scan

Form analysis
2 forms found in the DOM

GET /search

<form id="searchheaderform" action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="✓">
  <input type="text" name="q" id="searchheaderinput" autocomplete="off" placeholder="Search for documentation, articles, and posts..." aria-label="Search">
  <input type="submit" value="" id="searchheadersubmit" aria-label="Search Submit" data-disable-with="">
</form>

POST /feedback-post

<form id="feedback-footer" action="/feedback-post" accept-charset="UTF-8" method="post"><input name="utf8" type="hidden" value="✓"><input type="hidden" name="authenticity_token"
    value="Z9yQ1vtwCEUe+U8c28zCRK1BjwrMy9U9si9Vtj0rQDmdcdTFDALwX81UHBdyv5NAvEUCirILSFgR+z7aG/Km9Q==">
  <input type="number" name="fax_number" id="fax_number" value="" autocomplete="off" placeholder="" tabindex="-1">
  <input type="hidden" name="url" id="feedback-url" value="https://tanzu.vmware.com/security/cve-2022-22965" autocomplete="off" placeholder="">
  <textarea name="feedbacktext" id="feedbacktext" autocomplete="off" placeholder="" value=""></textarea>
  <input type="submit" name="submit" value="Send" id="submit" data-disable-with="">
</form>

Text Content

 * Why Tanzu
 * Products
 * Consulting
 * Get Started
 * Resources
 *  * Support
    * Developer Center
    * Documentation
    * Downloads

WHY TANZU


Transform your business, not just your IT Why Tanzu

--------------------------------------------------------------------------------

Intro to Tanzu


PAVING THE ROAD TO MODERN APPS

By Role For developers For IT operators For business leaders
By Industry Automotive Financial Services Healthcare Insurance
Manufacturing Public Sector Retail Telecommunications
VMware Tanzu

Build, run, and manage modern apps on any cloud
Get started
View all products
By use case
Cloud native platform ops Cloud native app development Secure software supply
chain Open source VMware Tanzu
For dev Tanzu Application Platform Tanzu Application Service Tanzu Build Service
Tanzu Data Services VMware Application Catalog
For ops Tanzu for Kubernetes Operations Tanzu Kubernetes Grid Tanzu Mission
Control Tanzu Observability Tanzu Service Mesh
VMware Tanzu Labs


BUILD APPS

Deliver new apps users love

MODERNIZE APPS

Rearchitect valuable legacy apps

BUILD YOUR PLATFORM

Evolve your Kubernetes strategy
App Navigator Build a modernization plan
Data Transformation
Services for nonprofits

Featured webinar Let's talk Micrometer, Sleuth, and Tanzu Observability
View webinars
Latest news VMware Tanzu Community Edition Taps in Cartographer for Building
Secure Adaptable Cloud Native Supply Chains
View all blog posts
Tech Insights
 * DevSecOps
 * Microservices
 * Containers
 * Cloud Native

View all
Customer stories Content Library Events Partners Careers Tanzu Vanguard Contact
Us
Get started with VMware Tanzu Downloads, trials, docs, and hands-on labs

--------------------------------------------------------------------------------

Tanzu Community Edition Tanzu Observability Tanzu Application Platform
Developer Center Build better. Deploy faster.

--------------------------------------------------------------------------------

Guides Free workshops Tanzu.TV
KubeAcademy Free Kubernetes courses

--------------------------------------------------------------------------------

Getting Started with Kubernetes Containers 101 Kubernetes 101
Other resources Documentation Solutions Hub Open source projects

 * Why Tanzu
 * Products
 * Consulting
 * Get Started
 * Resources

   Search

   Contact Us

   Support

   Developer Center

   Documentation

   Downloads

 * Why Tanzu
   Why Tanzu Overview
   By Role
    * For developers
    * For IT operators
    * For business leaders
   
   By Industry
    * Automotive
    * Financial Services
    * Healthcare
    * Insurance
    * Manufacturing
    * Public Sector
    * Retail
    * Telecommunications

 * Products
   VMware Tanzu Overview
    * Tanzu Application Platform
    * Tanzu Application Service
    * Tanzu Build Service
    * Tanzu Community Edition
    * Tanzu Data Services
    * Tanzu Kubernetes Grid
    * Tanzu for Kubernetes Operations
    * Tanzu Mission Control
    * Tanzu Observability
    * Tanzu Service Mesh
    * VMware Application Catalog
    * View All Products

 * Consulting
   VMware Tanzu Labs
    * Build apps
    * Modernize apps
    * Build a platform
    * Transform data
    * App Navigator
    * Services for nonprofits

 * Get started
    * Get started with VMware Tanzu
    * Tanzu Community Edition
    * Tanzu Observability
    * Tanzu Build Service
   
    * Tanzu Developer Center
    * Guides
    * Free workshops
    * Tanzu.tv
   
    * KubeAcademy
    * Getting Started with Kubernetes
    * Containers 101
    * Kubernetes 101
   
   Other resources
    * Documentation
    * Solutions Hub
    * Open source projects

 * Resources
 * Webinars
 * Blog
 * Customer stories
 * Content Library
 * Tech Insights
 * Events
 * Partners
 * Careers
 * Tanzu Vanguard

All Vulnerability Reports


CVE-2022-22965: SPRING FRAMEWORK RCE VIA DATA BINDING ON JDK 9+


Severity

Critical

Vendor

Spring by VMware

Description



A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable
to remote code execution (RCE) via data binding. The specific exploit requires
the application to run on Tomcat as a WAR deployment. If the application is
deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable
to the exploit. However, the nature of the vulnerability is more general, and
there may be other ways to exploit it.

These are the prerequisites for the exploit:

 * JDK 9 or higher
 * Apache Tomcat as the Servlet container
 * Packaged as WAR
 * spring-webmvc or spring-webflux dependency



Affected VMware Products and Versions

Severity is critical unless otherwise noted.

 * Spring Framework
   * 5.3.0 to 5.3.17
   * 5.2.0 to 5.2.19
   * Older, unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation: 5.3.x users
should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+. No other steps
are necessary. There are other mitigation steps for applications that cannot
upgrade to the above versions. Those are described in the early announcement
blog post, listed under the Resources section. Releases that have fixed this
issue include:

 * Spring Framework
   * 5.3.18+
   * 5.2.20+

Credit

This vulnerability was responsibly reported to VMware by codeplutos, meizjm3i of
AntGroup FG Security Lab. A secondary report was also received from Praetorian.

References
 * https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
 * https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

History

2022-03-31: Initial vulnerability report published.

 * VMware Tanzu
 * Tanzu Application Platform
 * Tanzu Application Service
 * Tanzu Build Service
 * Tanzu Community Edition
 * Tanzu Data Services
 * Tanzu Kubernetes Grid
 * Tanzu for Kubernetes Operations
 * Tanzu Mission Control
 * Tanzu Observability
 * Tanzu Service Mesh
 * VMware Application Catalog
 * Tanzu Labs

 * Resources
 * Support
 * Contact
 * Events
 * Partners
 * Careers
 * Blog
 * Newsletter
 * Labs Locations

 * Get started
 * Developer Center
 * Documentation

SpringOne December 6–8, 2022 • San Francisco
Intro To Tanzu Paving the Road to Modern Apps
Feedback Tell us what you think


Thank you!

--------------------------------------------------------------------------------

中文 Deutsch Français 日本語 한국어 Italiano English
© 2022 VMware, Inc Terms of Use Privacy Policy Your California Privacy Rights
Subscription Management Cookie Settings
 * 
 * 
 * 
 * 

We use cookies to provide you with the best experience on our website, to
improve usability and performance and thereby improve what we offer to you. Our
website may also use third-party cookies to display advertising that is more
relevant to you. By clicking on the “Accept All” button you agree to the storing
of cookies on your device. If you want to know more about how we use cookies,
please see our Cookie Policy.

Cookie Settings Accept All Cookies



COOKIE PREFERENCE CENTER




GENERAL INFORMATION ON COOKIES

GENERAL INFORMATION ON COOKIES

When you visit our website, we use cookies to ensure that we give you the best
experience. This information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies by clicking on the
different category headings to find out more and change your settings. However,
blocking some types of cookies may impact your experience on the site and the
services we are able to offer. Further information can be found in our
Cookie Policy.


 * STRICTLY NECESSARY
   
   STRICTLY NECESSARY
   
   Always Active
   Strictly Necessary
   
   Strictly necessary cookies are always enabled since they are essential for
   our website to function. They enable core functionality such as security,
   network management, and website accessibility. You can set your browser to
   block or alert you about these cookies, but this may affect how the website
   functions. For more information please visit www.aboutcookies.org or
   www.allaboutcookies.org.
   
   Cookie Details‎


 * PERFORMANCE
   
   PERFORMANCE
   
   Performance
   
   Performance cookies are used to analyze the user experience to improve our
   website by collecting and reporting information on how you use it. They allow
   us to know which pages are the most and least popular, see how visitors move
   around the site, optimize our website and make it easier to navigate.
   
   Cookie Details‎


 * FUNCTIONAL
   
   FUNCTIONAL
   
   Functional
   
   Functional cookies help us keep track of your past browsing choices so we can
   improve usability and customize your experience. These cookies enable the
   website to remember your preferred settings, language preferences, location
   and other customizable elements such as font or text size. If you do not
   allow these cookies, then some or all of these services may not function
   properly.
   
   Cookie Details‎


 * ADVERTISING
   
   ADVERTISING
   
   Advertising
   
   Advertising cookies are used to send you relevant advertising and promotional
   information. They may be set through our site by third parties to build a
   profile of your interests and show you relevant advertisements on other
   sites. These cookies do not directly store personal information, but their
   function is based on uniquely identifying your browser and internet device.
   
   Cookie Details‎


 * SOCIAL MEDIA
   
   SOCIAL MEDIA
   
   Social Media
   
   Social media cookies are intended to facilitate the sharing of content and to
   improve the user experience. These cookies can sometimes track your
   activities. We do not control social media cookies and they do not allow us
   to gain access to your social media accounts. Please refer to the relevant
   social media platform’s privacy policies for more information.
   
   Cookie Details‎

Back Button


ADVERTISING COOKIES

Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts

Select All

 * REPLACE-WITH-DYANMIC-HOST-ID
   
   
   TITLE
   
   DESCRIPTION
   
   View Third Party Cookies
   
    * Name
      cookie name



Clear Filters

Information storage and access
Apply
Confirm My Choices Allow All