VPLEX VS2, VPLEX VS6 False Positive Security Vulnerabilities SpringShell

Summary: See the 'Recommendation' section below for details on each CVEs.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Security Article Type

Security KB

CVE Identifier

CVE-2022-22963, CVE-2022-22965, and CVE-2022-22950

Issue Summary

See the 'Recommendation' section below for details on each CVEs.

Recommendations

The vulnerabilities listed in the table below are in order by the date on which Dell EMC VPLEX determined that all versions of Dell EMC VPLEX VS2, VS6 are not vulnerable.
 
Third-party Component CVE-IDs Summary of Vulnerability Reason why the Product is not Vulnerable Date Determined False Positive
Spring – the open source Java framework CVE-2022-22965 A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
 		 In Vplex
  • We do not use WAR files, nor do we use spring-webmvc or spring-webflux in our deployment, which both are necessary conditions for Spring4Shell to exist.
    • We tested the PoCs, just to be sure, and they were unsuccessful.
  • We also do not use the Spring Cloud Function library anywhere in our code base.
 1st April-2022
Spring – the open source Java framework CVE-2022-22963 In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. In Vplex
  • We do not use WAR files, nor do we use spring-webmvc or spring-webflux in our deployment, which both are necessary conditions for Spring4Shell to exist.
    • We tested the PoCs, just to be sure, and they were unsuccessful.
  • We also do not use the Spring Cloud Function library anywhere in our code base.
 1st April-2022
Spring – the open source Java framework CVE 2021-4172 Cross-site Scripting (XSS) - Stored in GitHub repository star7th/showdoc prior to 2.10.2. GitHub is not used in VPLEX. 5th April-2022
Spring – the open source Java framework CVE-2022-22950  In Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. No SUSE Security Announcements cross referenced for this CVE, since we use SLES OS. 5th April-2022

Legal Disclaimer

Affected Products

VPLEX, VPLEX VS2, VPLEX VS6
Article Properties
Article Number: 000198134
Article Type: Security KB
Last Modified: 06 Apr 2022
Version:  1
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.