VPLEX VS2, VPLEX VS6 False Positive Security Vulnerabilities SpringShell

Résumé: See the 'Recommendation' section below for details on each CVEs.

Cet article concerne Cet article ne concerne pas Cet article n’est associé à aucun produit spécifique. Toutes les versions du produit ne sont pas identifiées dans cet article.
Consulter d’autres ressources

Type d’article de sécurité

Security KB

Identifiant CVE

CVE-2022-22963, CVE-2022-22965, and CVE-2022-22950

Résumé des problèmes

See the 'Recommendation' section below for details on each CVEs.

Recommandations

The vulnerabilities listed in the table below are in order by the date on which Dell EMC VPLEX determined that all versions of Dell EMC VPLEX VS2, VS6 are not vulnerable.
 
Third-party Component CVE-IDs Summary of Vulnerability Reason why the Product is not Vulnerable Date Determined False Positive
Spring – the open source Java framework CVE-2022-22965 A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
 		 In Vplex
  • We do not use WAR files, nor do we use spring-webmvc or spring-webflux in our deployment, which both are necessary conditions for Spring4Shell to exist.
    • We tested the PoCs, just to be sure, and they were unsuccessful.
  • We also do not use the Spring Cloud Function library anywhere in our code base.
 1st April-2022
Spring – the open source Java framework CVE-2022-22963 In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. In Vplex
  • We do not use WAR files, nor do we use spring-webmvc or spring-webflux in our deployment, which both are necessary conditions for Spring4Shell to exist.
    • We tested the PoCs, just to be sure, and they were unsuccessful.
  • We also do not use the Spring Cloud Function library anywhere in our code base.
 1st April-2022
Spring – the open source Java framework CVE 2021-4172 Cross-site Scripting (XSS) - Stored in GitHub repository star7th/showdoc prior to 2.10.2. GitHub is not used in VPLEX. 5th April-2022
Spring – the open source Java framework CVE-2022-22950  In Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. No SUSE Security Announcements cross referenced for this CVE, since we use SLES OS. 5th April-2022

Mention légale

Produits concernés

VPLEX, VPLEX VS2, VPLEX VS6
Propriétés de l’article
Numéro d’article: 000198134
Type d’article: Security KB
Dernière modification: 06 avr. 2022
Version:  1
Trouvez des réponses à vos questions auprès d’autres utilisateurs Dell
Services de support
Vérifiez si votre appareil est couvert par les services de support.