A critical vulnerability in Spring Framework project identified by CVE-2022-22965 has been publicly disclosed which impacts VMware products. This led to multiple products being impacted by remote code execution vulnerability (CVE-2022-22965). This means a malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system. Here are some related fixes in other products: VMware vCenter Server updates address an information disclosure vulnerability, and Patch available to address vCenter Server information disclosure vulnerability .
Impacted Products
- VMware Tanzu Application Service for VMs
- VMware Tanzu Operations Manager
- VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)
Resolution
The fixes for CVE-2022-22965 are documented in the ‘Fixed Version’ column of the ‘Response Matrix’ below. The workarounds for CVE-2022-22965 are documented in the ‘Workarounds’ column of the ‘Response Matrix’ below.
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Tanzu Application Service for VMs | 2.13 | Any | CVE-2022-22965 | 9.8 | Critical | 2.13.1 | Here | None |
| Tanzu Application Service for VMs | 2.12 | Any | CVE-2022-22965 | 9.8 | Critical | 2.12.10 | Here | None |
| Tanzu Application Service for VMs | 2.11 | Any | CVE-2022-22965 | 9.8 | Critical | 2.11.17 | Here | None |
| Tanzu Application Service | 2.10 | Any | CVE-2022-22965 | 9.8 | Critical | 2.10.29 | Here | None |
| Tanzu Operations Manager | 2.10 | Any | CVE-2022-22965 | 9.8 | Critical | 2.10.35 | Here | None |
| Tanzu Operations Manager | 2.9 | Any | CVE-2022-22965 | 9.8 | Critical | 2.9.35 | Here | None |
| Tanzu Operations Manager | 2.8 | Any | CVE-2022-22965 | 9.8 | Critical | 2.8.20 | Here | None |
| TKGI | 1.13 | Any | CVE-2022-22965 | 9.8 | Critical | Patch pending | KB88102 | None |
| TKGI | 1.12 | Any | CVE-2022-22965 | 9.8 | Critical | Patch pending | KB88102 | None |
| TKGI | 1.11 | Any | CVE-2022-22965 | 9.8 | Critical | Patch pending | KB88102 | None |
VMware has stated that, at the time of this publication, the following products listed in the advisory are affected. VMware continues to investigate this vulnerability, and will update the advisory should any changes evolve.