CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2022-22965

CVSS 9.8v3.1pub. 2022-04-01upd. 2025-10-30

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Cisco Cx Cloud Agent

    APP
    Cisco
    < 2.1.0
  • Oracle Commerce Platform

    APP
    Oracle
    11.3.2
  • Oracle Communications Cloud Native Core Automated Test Suite

    APP
    Oracle
    1.9.022.1.0
  • Oracle Communications Cloud Native Core Binding Support Function

    APP
    Oracle
    22.1.3
  • Oracle Communications Cloud Native Core Console

    APP
    Oracle
    1.9.022.1.0
  • Oracle Communications Cloud Native Core Network Exposure Function

    APP
    Oracle
    22.1.0
  • Oracle Communications Cloud Native Core Network Function Cloud Native Environment

    APP
    Oracle
    1.10.022.1.0
  • Oracle Communications Cloud Native Core Network Repository Function

    APP
    Oracle
    1.15.022.1.0
  • Oracle Communications Cloud Native Core Network Slice Selection Function

    APP
    Oracle
    1.15.01.8.022.1.0
  • Oracle Communications Cloud Native Core Policy

    APP
    Oracle
    1.15.022.1.0
  • Oracle Communications Cloud Native Core Security Edge Protection Proxy

    APP
    Oracle
    1.7.022.1.0
  • Oracle Communications Cloud Native Core Unified Data Repository

    APP
    Oracle
    1.15.022.1.0
  • Oracle Communications Policy Management

    APP
    Oracle
    12.6.0.0.0
  • Oracle Communications Unified Inventory Management

    APP
    Oracle
    7.4.17.4.27.5.0
  • Oracle Financial Services Analytical Applications Infrastructure

    APP
    Oracle
    8.1.18.1.2.0
  • Oracle Financial Services Behavior Detection Platform

    APP
    Oracle
    8.1.1.08.1.1.18.1.2.0
  • Oracle Financial Services Enterprise Case Management

    APP
    Oracle
    8.1.1.08.1.1.18.1.2.0
  • Oracle JDK

    APP
    Oracle
    ≥ 9
  • Oracle MySQL Enterprise Monitor

    APP
    Oracle
    < 8.0.29
  • Oracle Product Lifecycle Analytics

    APP
    Oracle
    3.6.1
  • Oracle Retail Bulk Data Integration

    APP
    Oracle
    16.0.3
  • Oracle Retail Customer Management And Segmentation Foundation

    APP
    Oracle
    17.018.019.0
  • Oracle Retail Financial Integration

    APP
    Oracle
    14.1.3.215.0.3.116.0.319.0.1
  • Oracle Retail Integration Bus

    APP
    Oracle
    14.1.3.215.0.3.116.0.319.0.1
  • Oracle Retail Merchandising System

    APP
    Oracle
    16.0.319.0.1
  • Oracle Retail Xstore Point Of Service

    APP
    Oracle
    20.0.121.0.0
  • Oracle Sd Wan Edge

    APP
    Oracle
    9.09.1
  • Oracle Weblogic Server

    APP
    Oracle
    12.2.1.3.012.2.1.4.014.1.1.0.0
  • Siemens Operation Scheduler

    APP
    Siemens
    < 2.0.4
  • Siemens Simatic Speech Assistant For Machines

    APP
    Siemens
    < 1.2.1

CISA KEV — detailsi

Vendori
VMware
Producti
Spring Framework
Added to KEVi
April 4, 2022
Remediation deadline (US Federal)i
April 25, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 25 kwietnia 2022
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2022-22963CRITICAL9.8⚠ KEVten sam produkt

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionalit...

CVE-2022-22947CRITICAL10.0⚠ KEVten sam produkt

In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection ...

CVE-2021-45046CRITICAL9.0⚠ KEVten sam produkt

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-defau...

CVE-2021-44228CRITICAL10.0⚠ KEVten sam produkt

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features u...

CVE-2020-17530CRITICAL9.8⚠ KEVten sam produkt

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution....