VNX False Positive Security Vulnerabilities for Spring4Shell Vulnerability (CVE-2022-22950,CVE-2022-22963, and CVE-2022-22965)
Summary: This article provides a list of security vulnerabilities that cannot be exploited on Dell EMC VNX products (VNXe3200 or VNXe1600) and VNX2 series VNX5200, VNX5400, VNX5600, VNX5700, VNX5800, VNX7500, VNX7600, or VNX8000, but which may be identified by security scanners. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Security Article Type
Security KB
CVE Identifier
CVE-2022-22950, CVE-2022-22963, CVE-2022-22965
Issue Summary
See the 'Recommendation' section below for details on each CVE.
Recommendations
The vulnerabilities that are listed in the table below are in order by the date on which Dell EMC Engineering determined that the VNXe3200 (version 3.1.17.10223906), VNXe1600 (version 3.1.16.10224109) and VNX2 series VNX5200, VNX5400, VNX5600, VNX5700, VNX5800, VNX7500, VNX7600, and VNX8000 (Block 5.33.021.5.266, File 8.1.21.266) was not vulnerable.
| Third-party Component | CVE IDs | Summary of Vulnerability | Reason why Product is not Vulnerable | Date Determined False Positive |
| Spring | CVE-2022-22950 | In Spring Framework versions 5.3.0 - 5.3.16, 5.2.0 - 5.2.19, and earlier unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service condition. | 1. The SpEL classes and interfaces are in the packages org.springframework.expression and its sub packages and spel.support. 2. The interface ExpressionParser is responsible for parsing an expression string. 3. In VNX2 and VNXe2, there are no usages of SpEL (Special Expression Language) modules, packages, sub packages, or interface used. |
April 12, 2022 |
| Spring | CVE-2022-22963 | In Spring Cloud Function versions 3.1.6, 3.2.2 and earlier unsupported versions, when using routing functionality, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. | 1. The CVE is related with vulnerability in Spring Cloud Function which is one of the Main projects in Spring Cloud framework. It enables an attacker to pass arbitrary code to Spring Expression Language (SpEL) using an HTTP header that is named spring.cloud.function.routing-expression as that parameter goes unvalidated by the Cloud Function. 2. We have verified that VNX2 code does not have Spring framework, whereas VNXe2 code uses Spring framework but does not consume the springframework.cloud package anywhere. 3. We have also checked that there are no maven dependencies present for org.springframework.cloud which are required for using Spring Cloud functions. |
April 12, 2022 |
| Spring | CVE-2022-22965 | A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) using data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. | 1. The CVE is exploitable on Java 9 but not impacted on Java 8. VNXe2 and VNX2 systems use Java 8 version. 2. Spring4Shell, SpringShell is a vulnerability in the Spring Framework that uses data binding functionality to bind data that is stored within an HTTP request to certain objects used by an application. 3. The issue exists in the getCachedIntrospectionResults method, which may be used to gain unauthorized access to such objects by passing their class names using an HTTP request, This function is not being used in VNX2 and VNXe2 code. |
April 12, 2022 |
Legal Disclaimer
Affected Products
VNX2 Series, VNX5200, VNX5400, VNX5600, VNX5700, VNX5800, VNX7500, VNX7600, VNX8000, VNXe1000 SeriesProducts
VNXe1600, VNXe2 Series, VNXe3200Article Properties
Article Number: 000200074
Article Type: Security KB
Last Modified: 19 Sept 2025
Version: 2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.