It was found that in a vulnerability scan that our Gateways are vulnerable to CVE-2022-22950.
Please let us know of the action to take.
Successful exploitation of this vulnerability may allow an privileged attacker to execute a specially crafted SpEL expression that may cause a denial of service condition.
The vendor has released an advisory to resolve these issues.
Customers are advised to visit Spring Framework Advisory (https://tanzu.vmware.com/security/cve-2022-22950) for more information on this.
Following are links for downloading patches to fix the vulnerabilities:
Spring Framework Advisory (https://tanzu.vmware.com/security/cve-2022-22950)
Release : 4.2
Component : MOBILE API
** Gateway do not use spring expression functionality in Gateway so this CVE has no impact on it.
- Even though the gateway does not use spring expression, it still uses the above vulnerable spring versions, correct?
- How can I mitigate/patch these files without causing issues to the software?
** Spring Framework 3.x has reached EOL so we do not get upgraded version to fix this issue and there is no plans to upgrade Spring version to 5.x in Gateway 10.0.
** The spring-core is a fundamental and essential module for the spring framework, deleting this module will result in Gateway application/service failure, so we should not delete it.
** Gateway 10.1 version uses Spring Framework 5.3.x, so customers should upgrade to 10.1 to get official Gateway patch for this.