VMware published security advisory VMSA-2022-0010. A critical vulnerability in the Spring Framework project identified by CVE-2022-22965 has been publicly disclosed which impacts VMware products:
- VMware Tanzu Application Service for VMs
- VMware Tanzu Operations Manager
- VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)
Multiple products impacted by remote code execution vulnerability (CVE-2022-22965), a malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system.
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
Tanzu Application Service for VMs | 2.13 | Any | CVE-2022-22965 | 9.8 | Critical | 2.13.1 | Here | None |
Tanzu Application Service for VMs | 2.12 | Any | CVE-2022-22965 | 9.8 | Critical | 2.12.10 | Here | None |
Tanzu Application Service for VMs | 2.11 | Any | CVE-2022-22965 | 9.8 | Critical | 2.11.17 | Here | None |
Tanzu Application Service | 2.10 | Any | CVE-2022-22965 | 9.8 | Critical | 2.10.29 | Here | None |
Tanzu Operations Manager | 2.10 | Any | CVE-2022-22965 | 9.8 | Critical | 2.10.35 | None | None |
Tanzu Operations Manager | 2.9 | Any | CVE-2022-22965 | 9.8 | Critical | 2.9.35 | None | None |
Tanzu Operations Manager | 2.8 | Any | CVE-2022-22965 | 9.8 | Critical | 2.8.20 | None | None |
TKGI | 1.13 | Any | CVE-2022-22965 | 9.8 | Critical | Patch pending | KB88102 | None |
TKGI | 1.12 | Any | CVE-2022-22965 | 9.8 | Critical | Patch pending | KB88102 | None |
TKGI | 1.11 | Any | CVE-2022-22965 | 9.8 | Critical | Patch pending | KB88102 | None |
References:
Tanzu Application Service
Downloads and Documentation:
https://network.pivotal.io/products/elastic-runtime/
Tanzu Operations Manager
Downloads and Documentation:
https://network.tanzu.vmware.com/products/ops-manager
VMware TKGI
Downloads and Documentation:
https://network.pivotal.io/products/pivotal-container-service/
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
FIRST CVSSv3 Calculator:
CVE-2022-22965: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Please like and share to spread the knowledge in the community.
Subscribe to my channel: https://bit.ly/3vY16CT
If you want to chat with me please use Twitter: @AngrySysOps
Join my VMware Knowledge Base Group: https://bit.ly/3w54tbc
Visit my FB page: https://www.facebook.com/AngrySysOps
Read my blog: https://angrysysops.com
Subscribe to my channel: https://bit.ly/3vY16CT