You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@maven.apache.org by DONNELL M GARRETT <DO...@bcbssc.com> on 2022/04/08 19:24:34 UTC

CVE-2022-22963 and CVE-2022-22965

On March 31, 2022 a pair of significant vulnerabilities were identified in the Java Spring Framework which would allow an attacker to execute malicious code.

  *   CVE-2022-22963 - https://tanzu.vmware.com/security/cve-2022-22963
  *   CVE-2022-22965 - https://tanzu.vmware.com/security/cve-2022-22965

It is critical for all of our vendors to determine if their software is impacted so that remediation steps can be taken.  We need your company to respond to the following questions immediately:


  *   Is your product impacted by CVE-2022-22963 or CVE-2022-22965?
  *   Is your product built on Java?
  *   Does your product depend on the Spring Cloud Function project?  If so, what version?
  *   Does your product depend on Spring Framework?  If so, what version?
  *   Does the product require JDK 9 or higher?
  *   Does the product have a dependency on spring-webmvc?
  *   Does the product have a dependency on spring-webflux?

Re: CVE-2022-22963 and CVE-2022-22965

Posted by Tushar Kapila <tg...@gmail.com>.

Bernd
Just say:
By the power of Grayskull, and you will have all the answers ;)

Donnel
You might get a few answers on forums,  but if you need help to put ut all
together consider hiring someone. Freelancer.com I'd one resource. Besides
aunty Google


On Sat, Apr 9, 2022, 07:53 Bernd Eckenfels <ec...@zusammenkunft.net> wrote:

> Hello Donnel,
>
> We need you to do your own research, the Apache Open Source Project Maven
> is not “your vendor” and also not related with Spring. How should “we” know
> what and how you are using it?
>
> Gruss
> Bernd
> --
> http://bernd.eckenfels.net
> ________________________________
> Von: DONNELL M GARRETT <DO...@bcbssc.com>
> Gesendet: Freitag, April 8, 2022 9:25 PM
> An: users@maven.apache.org <us...@maven.apache.org>
> Betreff: CVE-2022-22963 and CVE-2022-22965
>
> On March 31, 2022 a pair of significant vulnerabilities were identified in
> the Java Spring Framework which would allow an attacker to execute
> malicious code.
>
>   *   CVE-2022-22963 - https://tanzu.vmware.com/security/cve-2022-22963
>   *   CVE-2022-22965 - https://tanzu.vmware.com/security/cve-2022-22965
>
> It is critical for all of our vendors to determine if their software is
> impacted so that remediation steps can be taken.  We need your company to
> respond to the following questions immediately:
>
>
>   *   Is your product impacted by CVE-2022-22963 or CVE-2022-22965?
>   *   Is your product built on Java?
>   *   Does your product depend on the Spring Cloud Function project?  If
> so, what version?
>   *   Does your product depend on Spring Framework?  If so, what version?
>   *   Does the product require JDK 9 or higher?
>   *   Does the product have a dependency on spring-webmvc?
>   *   Does the product have a dependency on spring-webflux?
>
>

Re: CVE-2022-22963 and CVE-2022-22965

Posted by Bernd Eckenfels <ec...@zusammenkunft.net>.

Hello Donnel,

We need you to do your own research, the Apache Open Source Project Maven is not “your vendor” and also not related with Spring. How should “we” know what and how you are using it?

Gruss
Bernd
--
http://bernd.eckenfels.net
________________________________
Von: DONNELL M GARRETT <DO...@bcbssc.com>
Gesendet: Freitag, April 8, 2022 9:25 PM
An: users@maven.apache.org <us...@maven.apache.org>
Betreff: CVE-2022-22963 and CVE-2022-22965

On March 31, 2022 a pair of significant vulnerabilities were identified in the Java Spring Framework which would allow an attacker to execute malicious code.

  *   CVE-2022-22963 - https://tanzu.vmware.com/security/cve-2022-22963
  *   CVE-2022-22965 - https://tanzu.vmware.com/security/cve-2022-22965

It is critical for all of our vendors to determine if their software is impacted so that remediation steps can be taken.  We need your company to respond to the following questions immediately:


  *   Is your product impacted by CVE-2022-22963 or CVE-2022-22965?
  *   Is your product built on Java?
  *   Does your product depend on the Spring Cloud Function project?  If so, what version?
  *   Does your product depend on Spring Framework?  If so, what version?
  *   Does the product require JDK 9 or higher?
  *   Does the product have a dependency on spring-webmvc?
  *   Does the product have a dependency on spring-webflux?