The following vulnerabilities were announced named as new Spring4Shell Zero-Day Vulnerabilities:
- CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression
https://tanzu.vmware.com/security/cve-2022-22963
- CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
https://tanzu.vmware.com/security/cve-2022-22965
- CVE-2022-22950: Spring Expression DoS Vulnerability
https://tanzu.vmware.com/security/cve-2022-22950
Is Dollar Universe impacted by these vulnerabilities?
Release : 6.x, 7.x
Component : DOLLAR UNIVERSE
Defect in third party libraries
Dollar Universe does not meet the requirement to be vulnerable with CVE-2022-22963 and CVE-2022-22965 vulnerabilities as stated on:
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
or
https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/
Spring core is ONLY used in the following components:
These components will have the spring version updated in the future (6.10.101 and 7.0.11).