Security | Vulnerability Scans and Assessment

CVE-2022-22965: VMware Response to Spring Framework Remote Code Execution Vulnerability


A critical vulnerability in Spring Framework project identified by CVE-2022-22965 has been publicly disclosed which impacts VMware products. This led to multiple products being impacted by remote code execution vulnerability (CVE-2022-22965). This means a malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system. Here are some related fixes in other products: VMware vCenter Server updates address an information disclosure vulnerability, and Patch available to address vCenter Server information disclosure vulnerability .

Impacted Products

  • VMware Tanzu Application Service for VMs
  • VMware Tanzu Operations Manager
  • VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)


The fixes for CVE-2022-22965 are documented in the ‘Fixed Version’ column of the ‘Response Matrix’ below. The workarounds for CVE-2022-22965 are documented in the ‘Workarounds’ column of the ‘Response Matrix’ below.

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
Tanzu Application Service for VMs2.13AnyCVE-2022-229659.8Critical 2.13.1HereNone
Tanzu Application Service for VMs2.12AnyCVE-2022-229659.8Critical 2.12.10HereNone
Tanzu Application Service for VMs2.11AnyCVE-2022-229659.8Critical 2.11.17HereNone
Tanzu Application Service2.10AnyCVE-2022-229659.8Critical 2.10.29HereNone
Tanzu Operations Manager2.10AnyCVE-2022-229659.8Critical 2.10.35HereNone
Tanzu Operations Manager2.9AnyCVE-2022-229659.8Critical 2.9.35HereNone
Tanzu Operations Manager2.8AnyCVE-2022-229659.8Critical 2.8.20HereNone
TKGI1.13AnyCVE-2022-229659.8Critical Patch pendingKB88102None
TKGI1.12AnyCVE-2022-229659.8Critical Patch pendingKB88102None
TKGI1.11AnyCVE-2022-229659.8Critical Patch pendingKB88102None

VMware has stated that, at the time of this publication, the following products listed in the advisory are affected. VMware continues to investigate this vulnerability, and will update the advisory should any changes evolve.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x