Last Updated: 1 April 2022, 8:30 am EDT (change history)
Four CVEs have been released pertaining to vulnerabilities in VMware Spring.
- CVE-2022-22947 (Critical) - Spring Cloud Gateway vulnerable to Code Injection via Gateway Actuator
- CVE-2022-22950 (Medium) - Spring Framework vulnerable to denial-of-service attack via Spring Expression Language (SpEL)
- CVE-2022-22963 (Critical) - Spring Cloud Gateway vulnerable to Remote Code Execution via Spring Expression Language (SpEL)
- CVE-2022-22965 (Critical) - Spring Core vulnerable to Remote Code Execution via Data Binding on JDK9+ (referred to as “Spring4Shell”)
As soon as Tamr’s security team received notification from our security partners, we initiated a comprehensive review of all Tamr Core and Tamr Cloud software and third party dependencies Tamr relies on. The result of this review is:
- CVE-2022-22947 - Neither Tamr Core nor Tamr Cloud incorporate Spring Cloud Gateway.
- CVE-2022-22950 - Some Tamr Core and Tamr Cloud components include vulnerable versions of Spring Framework, but Spring Expression Language is not available to end users. Tamr is identifying a path to upgrade Spring Framework in these components.
- CVE-2022-22963 - Neither Tamr Core nor Tamr Cloud incorporate Spring Cloud Gateway.
- CVE-2022-22965 - Although some components of Tamr Core and Tamr Cloud do contain vulnerable versions of the Spring Core package, these vulnerabilities are not exploitable due to Tamr’s use of the JDK8 version of the Java runtime, therefore it is not currently necessary to patch Tamr software.
In addition, Tamr is working with our security vendors to block requests that attempt to exploit these vulnerabilities.
This is a developing situation, and we will further update this guidance as we continue to learn from our investigation.
1 April 2022