Critical Severity – VMSA-2022-0010 – VMware Tanzu

VMware published security advisory VMSA-2022-0010. A critical vulnerability in the Spring Framework project identified by CVE-2022-22965 has been publicly disclosed which impacts VMware products:

  • VMware Tanzu Application Service for VMs
  • VMware Tanzu Operations Manager
  • VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)

Multiple products impacted by remote code execution vulnerability (CVE-2022-22965), a malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system.

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
Tanzu Application Service for VMs2.13AnyCVE-2022-229659.8Critical 2.13.1HereNone
Tanzu Application Service for VMs2.12AnyCVE-2022-229659.8Critical 2.12.10HereNone
Tanzu Application Service for VMs2.11AnyCVE-2022-229659.8Critical 2.11.17HereNone
Tanzu Application Service2.10AnyCVE-2022-229659.8Critical 2.10.29HereNone
Tanzu Operations Manager2.10AnyCVE-2022-229659.8Critical 2.10.35NoneNone
Tanzu Operations Manager2.9AnyCVE-2022-229659.8Critical 2.9.35NoneNone
Tanzu Operations Manager2.8AnyCVE-2022-229659.8Critical 2.8.20NoneNone
TKGI1.13AnyCVE-2022-229659.8Critical Patch pendingKB88102None
TKGI1.12AnyCVE-2022-229659.8Critical Patch pendingKB88102None
TKGI1.11AnyCVE-2022-229659.8Critical Patch pendingKB88102None

References:

Tanzu Application Service
Downloads and Documentation:
https://network.pivotal.io/products/elastic-runtime/

Tanzu Operations Manager
Downloads and Documentation:
https://network.tanzu.vmware.com/products/ops-manager

VMware TKGI
Downloads and Documentation:
https://network.pivotal.io/products/pivotal-container-service/

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965

FIRST CVSSv3 Calculator:
CVE-2022-22965: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Please like and share to spread the knowledge in the community.

Subscribe to my channel: https://bit.ly/3vY16CT

If you want to chat with me please use Twitter: @AngrySysOps

Join my  VMware Knowledge Base Group: https://bit.ly/3w54tbc

Visit my FB page: https://www.facebook.com/AngrySysOps

Read my blog: https://angrysysops.com

Subscribe to my channel: https://bit.ly/3vY16CT


Please leave the comment