Critical
Share this page on social media
Sign up for Security Advisories
IMPORTANT See the Notes section if prior to April 6, 3 PM PST you have updated TAS or Ops Manager or you have applied workarounds to TAS, Ops Manager or TKGi.
A critical vulnerability in Spring Framework project identified by CVE-2022-22965 has been publicly disclosed which impacts VMware products.
Description
Multiple products impacted by remote code execution vulnerability (CVE-2022-22965).
Known Attack Vectors
A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system.
Resolution
Fixes for CVE-2022-22965 are documented in the 'Fixed Version' column of the 'Response Matrix' below.
Workarounds
Workarounds for CVE-2022-22965 are documented in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation
None.
Notes
Acknowledgements
None.
Response Matrix
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
Tanzu Application Service for VMs
|
2.13
|
Any
|
CVE-2022-22965
|
critical
|
2.13.2
|
None
|
||
Tanzu Application Service for VMs
|
2.12
|
Any
|
CVE-2022-22965
|
critical
|
2.12.11
|
None
|
||
Tanzu Application Service for VMs
|
2.11
|
Any
|
CVE-2022-22965
|
critical
|
2.11.18
|
None
|
||
Tanzu Application Service
|
2.10
|
Any
|
CVE-2022-22965
|
critical
|
2.10.30
|
None
|
||
Tanzu Operations Manager
|
2.10
|
Any
|
CVE-2022-22965
|
critical
|
2.10.37
|
None
|
||
Tanzu Operations Manager
|
2.9
|
Any
|
CVE-2022-22965
|
critical
|
2.9.36
|
None
|
||
Tanzu Operations Manager
|
2.8
|
Any
|
CVE-2022-22965
|
critical
|
2.8.21
|
None
|
||
TKGI
|
1.13
|
Any
|
CVE-2022-22965
|
critical
|
1.13.4
|
None
|
||
TKGI
|
1.12
|
Any
|
CVE-2022-22965
|
critical
|
None
|
|||
TKGI
|
1.11
|
Any
|
CVE-2022-22965
|
critical
|
None
|
Fixed Version(s) and Release Notes:
Tanzu Application Service
Downloads and Documentation:
https://network.pivotal.io/products/elastic-runtime/
Tanzu Operations Manager
Downloads and Documentation:
https://network.tanzu.vmware.com/products/ops-manager
VMware TKGI
Downloads and Documentation:
https://network.pivotal.io/products/pivotal-container-service/
TKGI 1.12.5: https://docs.pivotal.io/tkgi/1-12/release-notes.html#1-12-5
TKGI 1.11.10: https://docs.pivotal.io/tkgi/1-11/release-notes.html#1-11-10
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
FIRST CVSSv3 Calculator:
CVE-2022-22965: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2022-04-02 VMSA-2022-0010
Initial security advisory.
2022-04-06 VMSA-2022-0010.1
Updated workaround for Tanzu Operations Manager
2022-04-06 VMSA-2022-0010.2
Added new, patched versions for TAS. Added alert to the Notes section on the need to update versions or reapply the workaround.
2022-04-07 VMSA-2022-0010.3
Added new patched versions of Tanzu Operations Manager.
2022-04-08 VMSA-2022-0010.4
Added note confirming investigations have concluded.
2022-04-14 VMSA-2022-0010.5
Added patched versions for TKGI 1.12 and TKGI 1.11
2022-04-30 VMSA-2022-0010.6
Added patched versions for TKGI 1.13 and new patched version for TKGI 1.12
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
E-mail: security@vmware.com
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2022 VMware Inc. All rights reserved.