cisco-sa-java-spring-rce-zx9guc67
Vulnerability from csaf_cisco
Published
2022-04-01 23:45
Modified
2023-02-09 15:14
Summary
Vulnerability in Spring Framework Affecting Cisco Products: March 2022
Notes
Summary
On March 31, 2022, the following critical vulnerability in the Spring Framework affecting Spring MVC and Spring WebFlux applications running on JDK 9+ was released:
CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
For a description of this vulnerability, see VMware Spring Framework Security Vulnerability Report ["https://tanzu.vmware.com/security/cve-2022-22965"].
Affected Products
Cisco investigated its product line to determine which products may be affected by this vulnerability.
The Vulnerable Products ["#vp"] section includes Cisco bug IDs for each affected product. The bugs are accessible through the Cisco Bug Search Tool ["https://bst.cloudapps.cisco.com/bugsearch/bug/BUGID"] and contain additional platform-specific information, including workarounds (if available) and fixed software releases.
Any product not listed in the Affected Products section of this advisory is to be considered not vulnerable.
Vulnerable Products
Cisco investigated its product line to determine which products may be affected by this vulnerability.
The following table lists Cisco products that are affected by the vulnerability that is described in this advisory. If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. Customers should refer to the associated Cisco bug(s) for further details.
Product Cisco Bug ID Fixed Release Availability ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"] Endpoint Clients and Client Software Cisco CX Cloud Agent Software CSCwb41735 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb41735"] 2.0 (Available) Network Management and Provisioning Cisco Automated Subsea Tuning CSCwb43658 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43658"] 2.1.0 (31 May 2022) Cisco Crosswork Network Controller CSCwb43703 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43703"] 3.0.2 (Available)
2.0.2 (Available) Cisco Crosswork Optimization Engine CSCwb43709 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43709"] 3.1.1 (Available)
2.1.1 (Available) Cisco Crosswork Zero Touch Provisioning (ZTP) CSCwb43706 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43706"] 3.0.2 (Available)
2.0.2 (Available) Cisco DNA Center CSCwb43650 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43650"] 2.3.3.3 (17 Jun 2022)
2.2.3.6 (6 Jun 2022)
2.2.2.9 (6 Jun 2022) Cisco Evolved Programmable Network Manager CSCwb43643 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43643"] 6.0.1.1 (Available)
5.1.4.1 (Available)
5.0.2.3 (Available) Cisco Managed Services Accelerator (MSX) CSCwb43667 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43667"] 4.2.3 (Available) Cisco Optical Network Planner CSCwb43691 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43691"] 4.2 (31 May 2022)
5.0 (30 Aug 2022) Cisco WAN Automation Engine (WAE) Live CSCwb43708 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43708"] 7.5.2.1 (Available)
7.4.0.2 (Available)
7.3.0.3 (Available) Cisco WAN Automation Engine (WAE) CSCwb43708 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43708"] 7.5.2.1 (Available)
7.4.0.2 (Available)
7.3.0.3 (Available) Data Center Network Manager (DCNM) CSCwb43637 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43637"] 11.5.4 (Available) Nexus Dashboard Fabric Controller (NDFC) CSCwb43637 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43637"] 12.1.1 (30 Jun 2022) Routing and Switching - Enterprise and Service Provider Cisco Optical Network Controller CSCwb43692 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43692"] 2.0 (31 May 2022) Cisco Software-Defined AVC (SD-AVC) CSCwb43727 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43727"] 4.3.1 (30 July 2022)
4.4.0 (30 Nov 2022) Voice and Unified Communications Devices Cisco Enterprise Chat and Email CSCwb45202 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb45202"] 11.6 - Not vulnerable.
12.0 (6 Jun 2022)
12.5 (6 Jun 2022)
12.6 ES2 (6 Jun 2022) Video, Streaming, TelePresence, and Transcoding Devices Cisco Meeting Server CSCwb43662 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43662"] 3.5.0 (Available)
3.4.2 (31 May 2022)
3.3.3 (17 Jun 2022)
Products Confirmed Not Vulnerable
Cisco investigated its product line to determine which products may be affected by this vulnerability.
Any product not listed in the Affected Products section of this advisory is to be considered not vulnerable.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
Cable Devices
Cisco Continuous Deployment and Automation Framework
Cisco Prime Cable Provisioning
Collaboration and Social Media
Cisco SocialMiner
Cisco Webex App, formerly Cisco Webex Teams
Cisco Webex Meetings Server
Network Application, Service, and Acceleration
Cisco Wide Area Application Services (WAAS)
Network and Content Security Devices
Cisco Adaptive Security Appliance (ASA) Software
Cisco Firepower Device Manager (FDM)
Cisco Firepower Management Center (FMC) Software
Cisco Firepower System Software
Cisco Identity Services Engine (ISE)
Cisco Secure Email Gateway, formerly Email Security Appliance (ESA)
Cisco Secure Email and Web Manager, formerly Cisco Content Security Management Appliance (SMA)
Cisco Secure Network Analytics, formerly Cisco Stealthwatch
Cisco Security Manager
Cisco Umbrella Active Directory (AD) Connector
Cisco Umbrella Roaming Clients
Cisco Umbrella Virtual Appliance
Network Management and Provisioning
Cisco Application Policy Infrastructure Controller (APIC)
Cisco Business Process Automation
Cisco CloudCenter Action Orchestrator
Cisco CloudCenter Cost Optimizer
Cisco CloudCenter Suite Admin
Cisco CloudCenter Workload Manager
Cisco CloudCenter
Cisco Collaboration Audit and Assessments
Cisco Common Services Platform Collector (CSPC)
Cisco Connected Mobile Experiences
Cisco Connected Pharma
Cisco Crosswork Change Automation
Cisco Crosswork Data Gateway
Cisco Crosswork Network Automation
Cisco Crosswork Situation Manager
Cisco Elastic Services Controller (ESC)
Cisco Extensible Network Controller (XNC)
Cisco Intelligent Node (iNode) Manager
Cisco IoT Field Network Director, formerly Cisco Connected Grid Network Management System
Cisco NCS 2000 Shelf Virtualization Orchestrator (SVO)
Cisco Network Change and Configuration Management
Cisco Network Insights for Data Center
Cisco Nexus Dashboard Data Broker, formerly Cisco Nexus Data Broker
Cisco Nexus Dashboard, formerly Cisco Application Services Engine
Cisco Nexus Insights
Cisco Policy Suite for Mobile
Cisco Policy Suite
Cisco Prime Performance Manager
Cisco Smart PHY
Cisco ThousandEyes Endpoint Agent
Cisco ThousandEyes Enterprise Agent
Cisco Virtual Topology System - Virtual Topology Controller (VTC) VM
Routing and Switching - Enterprise and Service Provider
Cisco ACI HTML5 vCenter Plug-in
Cisco ASR 5000 Series Routers
Cisco Enterprise NFV Infrastructure Software (NFVIS)
Cisco GGSN Gateway GPRS Support Node
Cisco IOx Fog Director
Cisco IP Services Gateway (IPSG)
Cisco MME Mobility Management Entity
Cisco Mobility Unified Reporting and Analytics System
Cisco Network Convergence System 2000 Series
Cisco ONS 15454 Series Multiservice Provisioning Platforms
Cisco PDSN/HA Packet Data Serving Node and Home Agent
Cisco PGW Packet Data Network Gateway
Cisco SD-WAN vManage
Cisco System Architecture Evolution Gateway (SAEGW)
Cisco Ultra Packet Core
Cisco Ultra Services Platform
Routing and Switching - Small Business
Cisco Business Dashboard
Unified Computing
Cisco HyperFlex
Voice and Unified Communications Devices
Cisco BroadWorks
Cisco Cloud Connect
Cisco Emergency Responder
Cisco Packaged Contact Center Enterprise
Cisco Unified Attendant Console Advanced
Cisco Unified Attendant Console Business Edition
Cisco Unified Attendant Console Department Edition
Cisco Unified Attendant Console Enterprise Edition
Cisco Unified Attendant Console Premium Edition
Cisco Unified Communications Manager IM & Presence Service
Cisco Unified Communications Manager Session Management Edition
Cisco Unified Communications Manager
Cisco Unified Contact Center Enterprise
Cisco Unified Contact Center Express
Cisco Unified Customer Voice Portal
Cisco Unified Intelligence Center
Cisco Unity Connection
Cisco Virtualized Voice Browser
Video, Streaming, TelePresence, and Transcoding Devices
Cisco Expressway Series
Cisco TelePresence Integrator C Series
Cisco TelePresence MX Series
Cisco TelePresence Management Suite Provisioning Extensions
Cisco TelePresence Management Suite
Cisco TelePresence Precision Cameras
Cisco TelePresence Profile Series
Cisco TelePresence SX Series
Cisco TelePresence System EX Series
Cisco TelePresence Video Communication Server (VCS)
Cisco Touch
Cisco Video Surveillance Operations Manager
Cisco Vision Dynamic Signage Director
Cisco Webex Board Series
Cisco Webex Desk Series
Cisco Webex Room Navigator
Cisco Webex Room Series
Wireless
Cisco Ultra Cloud Core - Access and Mobility Management Function
Cisco Ultra Cloud Core - Network Repository Function
Cisco Ultra Cloud Core - Policy Control Function
Cisco Ultra Cloud Core - Redundancy Configuration Manager
Cisco Ultra Cloud Core - Session Management Function
Cisco Ultra Cloud Core - Subscriber Microservices Infrastructure
Cisco Cloud Hosted Services
Cisco BroadCloud
Cisco Industrial Asset Vision
Cisco IoT Control Center
Cisco IoT Operations Dashboard (IOTOC)
Cisco Kinetic for Cities
Cisco Registered Envelope Service
Cisco Smart Collector - Lifecycle Management
Cisco Umbrella
Cisco Unified Communications Manager Cloud
Cisco Webex Cloud-Connected UC (CCUC)
Workarounds
Any workarounds will be documented in the product-specific Cisco bugs, which are identified in the Vulnerable Products section of this advisory.
Fixed Software
For information about fixed software releases, consult the Cisco bugs identified in the Vulnerable Products ["#vp"] section of this advisory.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Vulnerability Policy
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.
Source
This vulnerability was publicly disclosed by VMware on March 31, 2022.
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
{
"document": {
"acknowledgments": [
{
"summary": "This vulnerability was publicly disclosed by VMware on March 31, 2022."
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"notes": [
{
"category": "summary",
"text": "On March 31, 2022, the following critical vulnerability in the Spring Framework affecting Spring MVC and Spring WebFlux applications running on JDK 9+ was released:\r\n\r\n CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+\r\n\r\nFor a description of this vulnerability, see VMware Spring Framework Security Vulnerability Report [\"https://tanzu.vmware.com/security/cve-2022-22965\"].\r\n\r\n",
"title": "Summary"
},
{
"category": "general",
"text": "Cisco investigated its product line to determine which products may be affected by this vulnerability.\r\n\r\nThe Vulnerable Products [\"#vp\"] section includes Cisco bug IDs for each affected product. The bugs are accessible through the Cisco Bug Search Tool [\"https://bst.cloudapps.cisco.com/bugsearch/bug/BUGID\"] and contain additional platform-specific information, including workarounds (if available) and fixed software releases.\r\n\r\nAny product not listed in the Affected Products section of this advisory is to be considered not vulnerable.",
"title": "Affected Products"
},
{
"category": "general",
"text": "Cisco investigated its product line to determine which products may be affected by this vulnerability.\r\n\r\nThe following table lists Cisco products that are affected by the vulnerability that is described in this advisory. If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. Customers should refer to the associated Cisco bug(s) for further details.\r\n Product Cisco Bug ID Fixed Release Availability [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"] Endpoint Clients and Client Software Cisco CX Cloud Agent Software CSCwb41735 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb41735\"] 2.0 (Available) Network Management and Provisioning Cisco Automated Subsea Tuning CSCwb43658 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43658\"] 2.1.0 (31 May 2022) Cisco Crosswork Network Controller CSCwb43703 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43703\"] 3.0.2 (Available)\r\n2.0.2 (Available) Cisco Crosswork Optimization Engine CSCwb43709 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43709\"] 3.1.1 (Available)\r\n2.1.1 (Available) Cisco Crosswork Zero Touch Provisioning (ZTP) CSCwb43706 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43706\"] 3.0.2 (Available)\r\n2.0.2 (Available) Cisco DNA Center CSCwb43650 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43650\"] 2.3.3.3 (17 Jun 2022)\r\n2.2.3.6 (6 Jun 2022)\r\n2.2.2.9 (6 Jun 2022) Cisco Evolved Programmable Network Manager CSCwb43643 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43643\"] 6.0.1.1 (Available)\r\n5.1.4.1 (Available)\r\n5.0.2.3 (Available) Cisco Managed Services Accelerator (MSX) CSCwb43667 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43667\"] 4.2.3 (Available) Cisco Optical Network Planner CSCwb43691 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43691\"] 4.2 (31 May 2022)\r\n5.0 (30 Aug 2022) Cisco WAN Automation Engine (WAE) Live CSCwb43708 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43708\"] 7.5.2.1 (Available)\r\n7.4.0.2 (Available)\r\n7.3.0.3 (Available) Cisco WAN Automation Engine (WAE) CSCwb43708 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43708\"] 7.5.2.1 (Available)\r\n7.4.0.2 (Available)\r\n7.3.0.3 (Available) Data Center Network Manager (DCNM) CSCwb43637 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43637\"] 11.5.4 (Available) Nexus Dashboard Fabric Controller (NDFC) CSCwb43637 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43637\"] 12.1.1 (30 Jun 2022) Routing and Switching - Enterprise and Service Provider Cisco Optical Network Controller CSCwb43692 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43692\"] 2.0 (31 May 2022) Cisco Software-Defined AVC (SD-AVC) CSCwb43727 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43727\"] 4.3.1 (30 July 2022)\r\n4.4.0 (30 Nov 2022) Voice and Unified Communications Devices Cisco Enterprise Chat and Email CSCwb45202 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb45202\"] 11.6 - Not vulnerable.\r\n12.0 (6 Jun 2022)\r\n12.5 (6 Jun 2022)\r\n12.6 ES2 (6 Jun 2022) Video, Streaming, TelePresence, and Transcoding Devices Cisco Meeting Server CSCwb43662 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43662\"] 3.5.0 (Available)\r\n3.4.2 (31 May 2022)\r\n3.3.3 (17 Jun 2022)",
"title": "Vulnerable Products"
},
{
"category": "general",
"text": "Cisco investigated its product line to determine which products may be affected by this vulnerability.\r\n\r\nAny product not listed in the Affected Products section of this advisory is to be considered not vulnerable.\r\n\r\nCisco has confirmed that this vulnerability does not affect the following Cisco products:\r\n\r\nCable Devices\r\n\r\nCisco Continuous Deployment and Automation Framework\r\nCisco Prime Cable Provisioning\r\n\r\nCollaboration and Social Media\r\n\r\nCisco SocialMiner\r\nCisco Webex App, formerly Cisco Webex Teams\r\nCisco Webex Meetings Server\r\n\r\nNetwork Application, Service, and Acceleration\r\n\r\nCisco Wide Area Application Services (WAAS)\r\n\r\nNetwork and Content Security Devices\r\n\r\nCisco Adaptive Security Appliance (ASA) Software\r\nCisco Firepower Device Manager (FDM)\r\nCisco Firepower Management Center (FMC) Software\r\nCisco Firepower System Software\r\nCisco Identity Services Engine (ISE)\r\nCisco Secure Email Gateway, formerly Email Security Appliance (ESA)\r\nCisco Secure Email and Web Manager, formerly Cisco Content Security Management Appliance (SMA)\r\nCisco Secure Network Analytics, formerly Cisco Stealthwatch\r\nCisco Security Manager\r\nCisco Umbrella Active Directory (AD) Connector\r\nCisco Umbrella Roaming Clients\r\nCisco Umbrella Virtual Appliance\r\n\r\nNetwork Management and Provisioning\r\n\r\nCisco Application Policy Infrastructure Controller (APIC)\r\nCisco Business Process Automation\r\nCisco CloudCenter Action Orchestrator\r\nCisco CloudCenter Cost Optimizer\r\nCisco CloudCenter Suite Admin\r\nCisco CloudCenter Workload Manager\r\nCisco CloudCenter\r\nCisco Collaboration Audit and Assessments\r\nCisco Common Services Platform Collector (CSPC)\r\nCisco Connected Mobile Experiences\r\nCisco Connected Pharma\r\nCisco Crosswork Change Automation\r\nCisco Crosswork Data Gateway\r\nCisco Crosswork Network Automation\r\nCisco Crosswork Situation Manager\r\nCisco Elastic Services Controller (ESC)\r\nCisco Extensible Network Controller (XNC)\r\nCisco Intelligent Node (iNode) Manager\r\nCisco IoT Field Network Director, formerly Cisco Connected Grid Network Management System\r\nCisco NCS 2000 Shelf Virtualization Orchestrator (SVO)\r\nCisco Network Change and Configuration Management\r\nCisco Network Insights for Data Center\r\nCisco Nexus Dashboard Data Broker, formerly Cisco Nexus Data Broker\r\nCisco Nexus Dashboard, formerly Cisco Application Services Engine\r\nCisco Nexus Insights\r\nCisco Policy Suite for Mobile\r\nCisco Policy Suite\r\nCisco Prime Performance Manager\r\nCisco Smart PHY\r\nCisco ThousandEyes Endpoint Agent\r\nCisco ThousandEyes Enterprise Agent\r\nCisco Virtual Topology System - Virtual Topology Controller (VTC) VM\r\n\r\nRouting and Switching - Enterprise and Service Provider\r\n\r\nCisco ACI HTML5 vCenter Plug-in\r\nCisco ASR 5000 Series Routers\r\nCisco Enterprise NFV Infrastructure Software (NFVIS)\r\nCisco GGSN Gateway GPRS Support Node\r\nCisco IOx Fog Director\r\nCisco IP Services Gateway (IPSG)\r\nCisco MME Mobility Management Entity\r\nCisco Mobility Unified Reporting and Analytics System\r\nCisco Network Convergence System 2000 Series\r\nCisco ONS 15454 Series Multiservice Provisioning Platforms\r\nCisco PDSN/HA Packet Data Serving Node and Home Agent\r\nCisco PGW Packet Data Network Gateway\r\nCisco SD-WAN vManage\r\nCisco System Architecture Evolution Gateway (SAEGW)\r\nCisco Ultra Packet Core\r\nCisco Ultra Services Platform\r\n\r\nRouting and Switching - Small Business\r\n\r\nCisco Business Dashboard\r\n\r\nUnified Computing\r\n\r\nCisco HyperFlex\r\n\r\nVoice and Unified Communications Devices\r\n\r\nCisco BroadWorks\r\nCisco Cloud Connect\r\nCisco Emergency Responder\r\nCisco Packaged Contact Center Enterprise\r\nCisco Unified Attendant Console Advanced\r\nCisco Unified Attendant Console Business Edition\r\nCisco Unified Attendant Console Department Edition\r\nCisco Unified Attendant Console Enterprise Edition\r\nCisco Unified Attendant Console Premium Edition\r\nCisco Unified Communications Manager IM \u0026 Presence Service\r\nCisco Unified Communications Manager Session Management Edition\r\nCisco Unified Communications Manager\r\nCisco Unified Contact Center Enterprise\r\nCisco Unified Contact Center Express\r\nCisco Unified Customer Voice Portal\r\nCisco Unified Intelligence Center\r\nCisco Unity Connection\r\nCisco Virtualized Voice Browser\r\n\r\nVideo, Streaming, TelePresence, and Transcoding Devices\r\n\r\nCisco Expressway Series\r\nCisco TelePresence Integrator C Series\r\nCisco TelePresence MX Series\r\nCisco TelePresence Management Suite Provisioning Extensions\r\nCisco TelePresence Management Suite\r\nCisco TelePresence Precision Cameras\r\nCisco TelePresence Profile Series\r\nCisco TelePresence SX Series\r\nCisco TelePresence System EX Series\r\nCisco TelePresence Video Communication Server (VCS)\r\nCisco Touch\r\nCisco Video Surveillance Operations Manager\r\nCisco Vision Dynamic Signage Director\r\nCisco Webex Board Series\r\nCisco Webex Desk Series\r\nCisco Webex Room Navigator\r\nCisco Webex Room Series\r\n\r\nWireless\r\n\r\nCisco Ultra Cloud Core - Access and Mobility Management Function\r\nCisco Ultra Cloud Core - Network Repository Function\r\nCisco Ultra Cloud Core - Policy Control Function\r\nCisco Ultra Cloud Core - Redundancy Configuration Manager\r\nCisco Ultra Cloud Core - Session Management Function\r\nCisco Ultra Cloud Core - Subscriber Microservices Infrastructure\r\n\r\nCisco Cloud Hosted Services\r\n\r\nCisco BroadCloud\r\nCisco Industrial Asset Vision\r\nCisco IoT Control Center\r\nCisco IoT Operations Dashboard (IOTOC)\r\nCisco Kinetic for Cities\r\nCisco Registered Envelope Service\r\nCisco Smart Collector - Lifecycle Management\r\nCisco Umbrella\r\nCisco Unified Communications Manager Cloud\r\nCisco Webex Cloud-Connected UC (CCUC)",
"title": "Products Confirmed Not Vulnerable"
},
{
"category": "general",
"text": "Any workarounds will be documented in the product-specific Cisco bugs, which are identified in the Vulnerable Products section of this advisory.",
"title": "Workarounds"
},
{
"category": "general",
"text": "For information about fixed software releases, consult the Cisco bugs identified in the Vulnerable Products [\"#vp\"] section of this advisory.\r\n\r\nWhen considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.",
"title": "Fixed Software"
},
{
"category": "general",
"text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
"title": "Vulnerability Policy"
},
{
"category": "general",
"text": "The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.",
"title": "Exploitation and Public Announcements"
},
{
"category": "general",
"text": "This vulnerability was publicly disclosed by VMware on March 31, 2022.",
"title": "Source"
},
{
"category": "legal_disclaimer",
"text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
"title": "Legal Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "Emergency Support:\r\n+1 877 228 7302 (toll-free within North America)\r\n+1 408 525 6532 (International direct-dial)\r\nNon-emergency Support:\r\nEmail: psirt@cisco.com\r\nSupport requests that are received via e-mail are typically acknowledged within 48 hours.",
"issuing_authority": "Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.\r\nMore information can be found in Cisco Security Vulnerability Policy available at https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html",
"name": "Cisco",
"namespace": "https://wwww.cisco.com"
},
"references": [
{
"category": "self",
"summary": "Vulnerability in Spring Framework Affecting Cisco Products: March 2022",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67"
},
{
"category": "external",
"summary": "Cisco Security Vulnerability Policy",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
},
{
"category": "external",
"summary": "VMware Spring Framework Security Vulnerability Report",
"url": "https://tanzu.vmware.com/security/cve-2022-22965"
},
{
"category": "external",
"summary": "Cisco\u0026nbsp;Bug Search Tool",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/BUGID"
},
{
"category": "external",
"summary": "Fixed Release Availability",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"
},
{
"category": "external",
"summary": "CSCwb41735",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb41735"
},
{
"category": "external",
"summary": "CSCwb43658",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43658"
},
{
"category": "external",
"summary": "CSCwb43703",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43703"
},
{
"category": "external",
"summary": "CSCwb43709",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43709"
},
{
"category": "external",
"summary": "CSCwb43706",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43706"
},
{
"category": "external",
"summary": "CSCwb43650",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43650"
},
{
"category": "external",
"summary": "CSCwb43643",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43643"
},
{
"category": "external",
"summary": "CSCwb43667",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43667"
},
{
"category": "external",
"summary": "CSCwb43691",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43691"
},
{
"category": "external",
"summary": "CSCwb43708",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43708"
},
{
"category": "external",
"summary": "CSCwb43637",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43637"
},
{
"category": "external",
"summary": "CSCwb43692",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43692"
},
{
"category": "external",
"summary": "CSCwb43727",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43727"
},
{
"category": "external",
"summary": "CSCwb45202",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb45202"
},
{
"category": "external",
"summary": "CSCwb43662",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb43662"
},
{
"category": "external",
"summary": "Security Vulnerability Policy",
"url": "http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"
}
],
"title": "Vulnerability in Spring Framework Affecting Cisco Products: March 2022",
"tracking": {
"current_release_date": "2023-02-09T15:14:14+00:00",
"generator": {
"date": "2023-02-09T15:14:26+00:00",
"engine": {
"name": "TVCE"
}
},
"id": "cisco-sa-java-spring-rce-Zx9GUc67",
"initial_release_date": "2022-04-01T23:45:00+00:00",
"revision_history": [
{
"date": "2022-04-02T00:37:17+00:00",
"number": "1.0.0",
"summary": "Initial public release."
},
{
"date": "2022-04-04T21:57:16+00:00",
"number": "1.1.0",
"summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable."
},
{
"date": "2022-04-05T17:43:30+00:00",
"number": "1.2.0",
"summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable."
},
{
"date": "2022-04-06T17:39:06+00:00",
"number": "1.3.0",
"summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable."
},
{
"date": "2022-04-07T18:00:44+00:00",
"number": "1.4.0",
"summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable."
},
{
"date": "2022-04-11T17:54:26+00:00",
"number": "1.5.0",
"summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable."
},
{
"date": "2022-04-12T18:27:07+00:00",
"number": "1.6.0",
"summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable."
},
{
"date": "2022-04-13T16:54:53+00:00",
"number": "1.7.0",
"summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable."
},
{
"date": "2022-04-14T17:27:42+00:00",
"number": "1.8.0",
"summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable."
},
{
"date": "2022-04-21T21:01:20+00:00",
"number": "1.9.0",
"summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable."
},
{
"date": "2022-04-26T17:43:02+00:00",
"number": "1.10.0",
"summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable."
},
{
"date": "2022-04-29T16:53:49+00:00",
"number": "1.11.0",
"summary": "Updated vulnerable products and products confirmed not vulnerable."
},
{
"date": "2022-06-01T17:22:35+00:00",
"number": "1.12.0",
"summary": "Updated Fixed Releases information."
},
{
"date": "2023-02-09T15:14:14+00:00",
"number": "1.13.0",
"summary": "Updated products confirmed not vulnerable."
}
],
"status": "final",
"version": "1.13.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_family",
"name": "Cisco Emergency Responder",
"product": {
"name": "Cisco Emergency Responder ",
"product_id": "CSAFPID-4844"
}
},
{
"category": "product_family",
"name": "Cisco Unity Connection",
"product": {
"name": "Cisco Unity Connection ",
"product_id": "CSAFPID-73608"
}
},
{
"category": "product_family",
"name": "Cisco Unified Communications Manager",
"product": {
"name": "Cisco Unified Communications Manager ",
"product_id": "CSAFPID-88444"
}
},
{
"category": "product_family",
"name": "Cisco Unified Communications Manager IM and Presence Service",
"product": {
"name": "Cisco Unified Communications Manager IM and Presence Service ",
"product_id": "CSAFPID-189784"
}
},
{
"category": "product_family",
"name": "Cisco Prime License Manager",
"product": {
"name": "Cisco Prime License Manager ",
"product_id": "CSAFPID-203607"
}
},
{
"category": "product_family",
"name": "Cisco Prime Collaboration Deployment",
"product": {
"name": "Cisco Prime Collaboration Deployment ",
"product_id": "CSAFPID-203614"
}
},
{
"category": "product_family",
"name": "Cisco Firepower Management Center",
"product": {
"name": "Cisco Firepower Management Center ",
"product_id": "CSAFPID-212162"
}
},
{
"category": "product_family",
"name": "Cisco Evolved Programmable Network Manager (EPNM)",
"product": {
"name": "Cisco Evolved Programmable Network Manager (EPNM) ",
"product_id": "CSAFPID-213688"
}
},
{
"category": "product_family",
"name": "Cisco Firepower Threat Defense Software",
"product": {
"name": "Cisco Firepower Threat Defense Software ",
"product_id": "CSAFPID-220203"
}
},
{
"category": "product_family",
"name": "Cisco IoT Field Network Director (IoT-FND)",
"product": {
"name": "Cisco IoT Field Network Director (IoT-FND) ",
"product_id": "CSAFPID-227605"
}
},
{
"category": "product_family",
"name": "Cisco HyperFlex HX Data Platform",
"product": {
"name": "Cisco HyperFlex HX Data Platform ",
"product_id": "CSAFPID-247050"
}
},
{
"category": "product_family",
"name": "Cisco Unified Communications Manager / Cisco Unity Connection",
"product": {
"name": "Cisco Unified Communications Manager / Cisco Unity Connection ",
"product_id": "CSAFPID-277610"
}
}
],
"category": "vendor",
"name": "Cisco"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-22965",
"ids": [
{
"system_name": "Cisco Bug ID",
"text": "CSCwb69766"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwb43734"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwb43739"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwb43738"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwb43736"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwd75689"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCvv65984"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwb44794"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwb70105"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwc96587"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwa79849"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwb84370"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwb43345"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwb43327"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwb43328"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwb43331"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwb43332"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwb43335"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwb43340"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwb43342"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwb43346"
}
],
"notes": [
{
"category": "other",
"text": "Complete.",
"title": "Affected Product Comprehensiveness"
}
],
"product_status": {
"known_affected": [
"CSAFPID-213688",
"CSAFPID-88444",
"CSAFPID-4844",
"CSAFPID-73608",
"CSAFPID-277610",
"CSAFPID-247050",
"CSAFPID-189784",
"CSAFPID-227605",
"CSAFPID-203607",
"CSAFPID-220203",
"CSAFPID-212162",
"CSAFPID-203614"
]
},
"release_date": "2022-04-01T23:45:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Cisco has released software updates that address this vulnerability.",
"product_ids": [
"CSAFPID-213688",
"CSAFPID-220203",
"CSAFPID-227605",
"CSAFPID-277610",
"CSAFPID-73608",
"CSAFPID-4844",
"CSAFPID-203607",
"CSAFPID-212162",
"CSAFPID-203614",
"CSAFPID-247050",
"CSAFPID-189784",
"CSAFPID-88444"
],
"url": "https://software.cisco.com"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-213688",
"CSAFPID-88444",
"CSAFPID-4844",
"CSAFPID-73608",
"CSAFPID-277610",
"CSAFPID-247050",
"CSAFPID-189784",
"CSAFPID-227605",
"CSAFPID-203607",
"CSAFPID-220203",
"CSAFPID-212162",
"CSAFPID-203614"
]
}
],
"title": "Vulnerability in Java Spring Framework Affecting System Products"
}
]
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.