VNX, VNXe, Dell Unity: CVE-2022-22963 and CVE-2022-22965 Vulnerability (User Correctable)

摘要: This KB article details the susceptibility of VNX, VNXe and Dell Unity products to the vulnerabilities detailed in CVE-2022-22963 and CVE-2022-22965, collectively called "Spring4Shell" vulnerabilities ...

本文适用于 本文不适用于 本文并非针对某种特定的产品。 本文并非包含所有产品版本。
查看其他资源

症状

Scanner positively identifies a Dell array as susceptible to CVE-2022-22963
Scanner positively identifies a Dell array as susceptible to CVE-2022-22965
Customer question regarding susceptibility of VNX, VNXe or Unity to CVE-2022-22963
Customer question regarding susceptibility of VNX, VNXe or Unity to CVE-2022-22963

Products addressed in this article:
Dell Unity Series, Dell UnityVSA, VNX1 Series, VNX2 Series, VNXe1 Series, VNXe2 Series

原因

Spring (a division of VMware) announced that there was a Remote Code Execution (RCE) vulnerability in the Spring Framework.  Two CVEs of note were identified:

CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression
CVE-2022-22965: Remote code execution in a Spring MVC or Spring WebFlux application by data binding

解决方案

  • VNX and VNXe (all versions) do not embed the vulnerable code.  Therefore, they are not applicable.
  • Unity (all versions) and UnityVSA does embed the vulnerable code, but it is not exploitable. 
    • Unity (as well as VNX) runs Java version 8.  This is a valid workaround as identified by Spring, since the vulnerability cannot be exploited on Java code earlier than Java version 9.

受影响的产品

Dell EMC Unity, VNX1 Series, VNX2 Series, VNXe1 Series, VNXe2 Series
文章属性
文章编号: 000198095
文章类型: Solution
上次修改时间: 14 12月 2022
版本:  6
从其他戴尔用户那里查找问题的答案
支持服务
检查您的设备是否在支持服务涵盖的范围内。