VMware says 3 Tanzu products impacted by Spring4Shell vulnerability

We are excited to bring Transform 2022 back to life on 19th July and virtually 20th July – 3rd August. Join AI and data leaders for sensible conversations and exciting networking opportunities. Learn more about Transform 2022


VMware revealed on Saturday that three Tanzu products have been “affected” by Remote Code Execution (RCE) vulnerabilities in the Spring Core, known as Spring4Shell.

The three affected products are VMware Tanzu Application Service for VMs, VMware Tanzu Operations Manager and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI), the company said in an advisory.

“Malicious actors with network access to the affected VMware product may use this issue to gain complete control over the target system,” VMware said in the advisory.

According to the advisory, patches for Tanzu Application Service are now available for VMs (version 2.11 and above), Tanzu Application Service (version 2.10) and Tanzu Operations Manager (versions 2.8 and above).

As of this writing, VMware’s advice is to patch the affected versions of TKGI, version 1.11 and higher.

Details about a vulnerability known as Spring4Shell were leaked on Tuesday and an open source vulnerability was acknowledged Thursday by VMware-owned Spring.

RCE vulnerability (CVE-2022-22965) affects JDK 9 or higher and there are many additional requirements to use it, including the application running on Apache Tomcat, Spring said in its blog post on Thursday.

All organizations using the popular Java Framework Spring are requested to patch, even if they consider their application sensitive.

Critical vulnerability

Now, VMware says its Tanzu application platform Spring4Shell is also affected by vulnerabilities. The vulnerability received a CVSSv3 severity rating of 9.8, which makes it a “critical” defect.

Along with the details on the affected versions and patches of the affected Tanzu products, VMware Advisor includes links to solutions for the Tanzu application service problem for VMs and TKGI.

“At the time of this release, VMware has reviewed its product portfolio and found that the products listed in this advisory are affected,” the company said in its advisory. “VMware will continue to investigate this vulnerability, and will update the advice as any changes develop.”

While Spring4Shell is considered a “common” vulnerability – with the potential for additional exploitation – the best advice is that all users of the spring should patch up if possible, experts told VentureBeat.

However, despite the worst case scenario for Spring4Shell, it is unlikely to be as big an issue as the Log4Shell vulnerability that affected the widely used Apache Log4j software, experts said.

Venturebeat’s mission Digital Town Square is set to become a place for technical decision makers to gain knowledge about the changing enterprise technology and practices. Learn more about membership.

Similar Posts

Leave a Reply

Your email address will not be published.