CVE-2022-22965

Vulnerability in Spring Framework Remote Code Execution affect WithSecure Products

More information

On March 31, 2022, a critical vulnerability was announced in the Spring framework, which is used by many vendors with Java based products. 

WithSecure is aware of this vulnerability affecting the Spring MVC (CVE-2022-22965) of the Spring Framework.

As part of WithSecure investigation, we found that the framework is used in the following WithSecure™ products are affected:

  • F-Secure Policy Manager Version 15 onwards
  • F-Secure Policy Manager for Linux Version 15 onwards
  • F-Secure Policy Manager Proxy Version 15 onwards
  • F-Secure Elements Connector (all versions)

During the investigations, it was determined that while these products include the affected version of Spring Framework, they are not exploitable by any currently known exploits. WithSecure™ teams have created fixes for these products:

Policy Manager: https://download.f-secure.com/corpro/pm/pms-pmp-hotfix-spring4shell-5.2.20.zip (applies to all affected versions)
Elements Connector: https://download.sp.f-secure.com/PSB/latest/installer/ec-hotfix-spring4shell-5.2.20.zip

Some third-party vulnerability scanners detect these products as affected, but they are simply checking the version of the Spring Framework and not actively checking the product configuration to see if they are exploitable. 

For a description of this vulnerability, see VMware Spring Framework Security Vulnerability Report.

We will update the advisory page as additional information becomes available.

    Status

  • Fixed
  • Action required

  • F-Secure Business Suite administrator need to apply the hotfix manually. All other products are automatically updated.
  • Risk level

  • Medium
  • Fix

  • In all other environments fix has been published through the automatic update channel.
  • Affected products

  • F-Secure Policy Manager Version 15 onwards F-Secure Policy Manager for Linux Version 15 onwards F-Secure Policy Manager Proxy Version 15 onwards F-Secure Elements Connector (all versions)
  • Platforms

  • All supported Windows version for the affected products
  • Date issued

  • 2022-04-13
  • Date updated

  • 2022-04-08
  • Security advisories
  • 2022
  • Medium