CloudIQ: False Positive for Spring4Shell Vulnerability (CVE-2022-22963 and CVE-2022-22965)
摘要: On March 31, 2022, a critical remote code vulnerability was published concerning the Spring4Shell Vulnerability.
本文适用于
本文不适用于
本文并非针对某种特定的产品。
本文并非包含所有产品版本。
安全性文章类型
Security KB
CVE 标识符
CVE-2022-22963, CVE-2022-22965
问题摘要
This article provides a list of security vulnerabilities that cannot be exploited on Dell EMC CloudIQ but which may be identified by security scanners.
详情
Notice on Vulnerability:
Spring Framework RCE, Early Announcement:
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
CVE Details:
CVE-2022-22963 https://nvd.nist.gov/vuln/detail/CVE-2022-22963
CVE-2022-22965 https://nvd.nist.gov/vuln/detail/CVE-2022-22965
建议
| Embedded Component | CVE IDs | Summary of Vulnerability | Reason why Product is not Vulnerable | Date Determined False Positive |
| CloudIQ | CVE- 2022-22963 | In Spring Cloud Function versions 3.1.6, 3.2.2, and earlier unsupported versions, when using routing functionality, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. | CloudIQ Is Not Impacted |
04-01-2022 |
| CloudIQ | CVE-2022-22965 | A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) using data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, that is the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. | CloudIQ Is Not Impacted |
04-01-2022 |
法律免责声明
受影响的产品
CloudIQ产品
CloudIQ文章属性
文章编号: 000198907
文章类型: Security KB
上次修改时间: 03 5月 2022
版本: 1
从其他戴尔用户那里查找问题的答案
支持服务
检查您的设备是否在支持服务涵盖的范围内。