Cisco issues Critical security updates for Spring Framework vulnerability

hacking, security, cyber-4038037.jpg

Cisco has issued an updated Critical security advisory for a Spring Framework vulnerability that affects multiple Cisco products. The networking giant also released a security update for a Critical LAN wireless controller vulnerability.

Originally released on April 1, 2022, Cisco issued an updated advisory on April 14 for a critical remote code execution (RCE) vulnerability CVE-2022-22965 in the Spring Framework affecting Spring MVC and Spring WebFlux applications running on JDK 9+.

Spring fixed the Critical Spring Framework vulnerability dubbed “Spring4Shell” and also another Spring Cloud Function vulnerability on March 31, 2022 after the issue was reported to VMware.

“A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it,” VMware Tanzu wrote in an advisory.

Although Cisco is still actively investigating the impact of CVE-2022-22965 for multiple Cisco products, the company confirmed in an updated advisory on April 14, 2022 that new software fixes for CVE-2022-22965 will be available for a number of Cisco products over the next several months.

Those Cisco products include (along with planned fixed release dates):

ProductCisco Bug IDFixed Release Availability
Endpoint Clients and Client Software
Cisco CX Cloud Agent SoftwareCSCwb417352.1.0 (20 Apr 2022)
Network Management and Provisioning
Cisco Automated Subsea TuningCSCwb436582.1.0 (31 May 2022)
Cisco Crosswork Network ControllerCSCwb437033.0.2 (29 Apr 2022)
2.0.2 (29 Apr 2022)
Cisco Crosswork Optimization EngineCSCwb437093.1.1 (1 May 2022)
2.1.1 (1 May 2022)
Cisco Crosswork Zero Touch Provisioning (ZTP)CSCwb437063.0.2 (29 Apr 2022)
2.0.2 (20 Apr 2022)
Cisco Evolved Programmable Network ManagerCSCwb436436.0.1.1 (29 Apr 2022)
5.1.4.1 (29 Apr 2022)
5.0.2.3 (29 Apr 2022)
Cisco Managed Services Accelerator (MSX)CSCwb436674.2.3 (27 Apr 2022)
Cisco Optical Network PlannerCSCwb436915.0 (30 Aug 2022)
Cisco WAN Automation Engine (WAE) LiveCSCwb437087.5.2.1 (19 Apr 2022)
7.4.0.2 (25 Apr 2022)
7.3.0.3 (29 Apr 2022)
Cisco WAN Automation Engine (WAE)CSCwb437087.5.2.1 (19 Apr 2022)
7.4.0.2 (25 Apr 2022)
7.3.0.3 (29 Apr 2022)
Data Center Network Manager (DCNM)CSCwb4363712.1.1 (30 Jun 2022)
Nexus Dashboard Fabric Controller (NDFC)CSCwb4363712.1.1 (30 Jun 2022)
Routing and Switching – Enterprise and Service Provider
Cisco DNA CenterCSCwb43648
Cisco Optical Network ControllerCSCwb436922.0 (31 May 2022)
Cisco Software-Defined AVC (SD-AVC)CSCwb43727
Voice and Unified Communications Devices
Cisco Enterprise Chat and EmailCSCwb4520212.0 (30 May 2022)
12.5 (30 May 2022)
12.6 ES2 (15 May 2022)
Video, Streaming, TelePresence, and Transcoding Devices
Cisco Meeting ServerCSCwb436623.5.0 (30 Apr 2022)
3.4.2 (31 May 2022)
3.3.3 (17 Jun 2022)

Moreover, Cisco also patched a vulnerability CVE-2022-20695 (CVSS 10.0) in the authentication functionality of Cisco Wireless LAN Controller (WLC) Software.

This issue could “allow an unauthenticated, remote attacker to bypass authentication controls and log in to the device through the management interface.”

Related Articles