search cancel

Spring4Shell ZERO-day exploit CVE-2022-22963 and CVE-2022-22965 vulnerability for DX Operational Intelligence (DX OI)

book

Article ID: 238525

calendar_today

Updated On:

Products

DX OI SaaS DX Operational Intelligence

Issue/Introduction

Two CVE’s for New Spring4Shell Zero-Day Vulnerability:

- CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

https://tanzu.vmware.com/security/cve-2022-22963

 - CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

https://tanzu.vmware.com/security/cve-2022-22965

 

Is DX Operational Intelligence (DX OI) impacted by this vulnerability?

Environment

DX Operational Intelligence (DX OI)

21.3.1, 21.3.1 HF1, SaaS

Resolution

DX Operational Intelligence (DX OI) is vulnerable to the new Spring4Shell vulnerabilities.  We identified the affected components and releases. We updated our SaaS environment with the required fixes.  For On-prem customers, Hot fix is released.  Please refer to the link below for complete installation instructions.