CVE-2022-22965

WSO2 Products impacted: no

Customers actions required: no

REPORTED VULNERABILITY

Spring remote code execution vulnerability1.

REPORTED PRODUCTS

  • WSO2 Identity Server : 5.9.0, 5.10.0, 5.11.0
  • WSO2 Identity Server as Key Manager : 5.9.0, 5.10.0
  • WSO2 API Manager : 3.0.0, 3.1.0, 3.2.0, 4.0.0
  • WSO2 Enterprise Integrator : 6.6.0

WSO2 JUSTIFICATION

The WSO2 team has carried out the investigation and relevant testing against the identified vulnerability. According to that, this vulnerability is not exploitable against WSO2 products. However, we are actively working on the required mitigation steps and updating the Spring Framework version to non-vulnerable versions.

You may apply the following WAF rule if you have the WAF in place as an additional precaution.

Deny requests containing query-strings or request payloads containing the following matches of the regular expression (These should be tested prior to production deployment but are effective mitigation techniques):2

  • class\..*
  • Class\..*
  • .*\.class\..*
  • .*\.Class\..*

REFERENCES

  1. https://nvd.nist.gov/vuln/detail/CVE-2022-22965 

  2. https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/