Cisco has issued an updated Critical security advisory for a Spring Framework vulnerability that affects multiple Cisco products. The networking giant also released a security update for a Critical LAN wireless controller vulnerability.
Originally released on April 1, 2022, Cisco issued an updated advisory on April 14 for a critical remote code execution (RCE) vulnerability CVE-2022-22965 in the Spring Framework affecting Spring MVC and Spring WebFlux applications running on JDK 9+.
Spring fixed the Critical Spring Framework vulnerability dubbed “Spring4Shell” and also another Spring Cloud Function vulnerability on March 31, 2022 after the issue was reported to VMware.
“A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it,” VMware Tanzu wrote in an advisory.
Although Cisco is still actively investigating the impact of CVE-2022-22965 for multiple Cisco products, the company confirmed in an updated advisory on April 14, 2022 that new software fixes for CVE-2022-22965 will be available for a number of Cisco products over the next several months.
Those Cisco products include (along with planned fixed release dates):
| Product | Cisco Bug ID | Fixed Release Availability |
|---|---|---|
| Endpoint Clients and Client Software | ||
| Cisco CX Cloud Agent Software | CSCwb41735 | 2.1.0 (20 Apr 2022) |
| Network Management and Provisioning | ||
| Cisco Automated Subsea Tuning | CSCwb43658 | 2.1.0 (31 May 2022) |
| Cisco Crosswork Network Controller | CSCwb43703 | 3.0.2 (29 Apr 2022) 2.0.2 (29 Apr 2022) |
| Cisco Crosswork Optimization Engine | CSCwb43709 | 3.1.1 (1 May 2022) 2.1.1 (1 May 2022) |
| Cisco Crosswork Zero Touch Provisioning (ZTP) | CSCwb43706 | 3.0.2 (29 Apr 2022) 2.0.2 (20 Apr 2022) |
| Cisco Evolved Programmable Network Manager | CSCwb43643 | 6.0.1.1 (29 Apr 2022) 5.1.4.1 (29 Apr 2022) 5.0.2.3 (29 Apr 2022) |
| Cisco Managed Services Accelerator (MSX) | CSCwb43667 | 4.2.3 (27 Apr 2022) |
| Cisco Optical Network Planner | CSCwb43691 | 5.0 (30 Aug 2022) |
| Cisco WAN Automation Engine (WAE) Live | CSCwb43708 | 7.5.2.1 (19 Apr 2022) 7.4.0.2 (25 Apr 2022) 7.3.0.3 (29 Apr 2022) |
| Cisco WAN Automation Engine (WAE) | CSCwb43708 | 7.5.2.1 (19 Apr 2022) 7.4.0.2 (25 Apr 2022) 7.3.0.3 (29 Apr 2022) |
| Data Center Network Manager (DCNM) | CSCwb43637 | 12.1.1 (30 Jun 2022) |
| Nexus Dashboard Fabric Controller (NDFC) | CSCwb43637 | 12.1.1 (30 Jun 2022) |
| Routing and Switching – Enterprise and Service Provider | ||
| Cisco DNA Center | CSCwb43648 | |
| Cisco Optical Network Controller | CSCwb43692 | 2.0 (31 May 2022) |
| Cisco Software-Defined AVC (SD-AVC) | CSCwb43727 | |
| Voice and Unified Communications Devices | ||
| Cisco Enterprise Chat and Email | CSCwb45202 | 12.0 (30 May 2022) 12.5 (30 May 2022) 12.6 ES2 (15 May 2022) |
| Video, Streaming, TelePresence, and Transcoding Devices | ||
| Cisco Meeting Server | CSCwb43662 | 3.5.0 (30 Apr 2022) 3.4.2 (31 May 2022) 3.3.3 (17 Jun 2022) |
Moreover, Cisco also patched a vulnerability CVE-2022-20695 (CVSS 10.0) in the authentication functionality of Cisco Wireless LAN Controller (WLC) Software.
This issue could “allow an unauthenticated, remote attacker to bypass authentication controls and log in to the device through the management interface.”