Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3447
Views
15
Helpful
7
Replies

CVE-2022-22963 - Has a Cisco Product Impact list been announced?

Go to solution
ChrisB-IP
Level 1
Level 1

‎03-31-2022 10:20 PM

Hi, just started hearing about CVE-2022-22963 "Remote code execution in Spring Cloud Function by malicious Spring Expression" (https://tanzu.vmware.com/security/cve-2022-22963). Has Cisco made any statement regarding which products are affected and what steps need to be taken? My particular concern is with regards to Networking and Unified Comms.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎04-03-2022 04:12 PM

Vulnerability in Spring Framework Affecting Cisco Products (CVSS:  9.8) 

Vulnerability in Spring Cloud Function Framework Affecting Cisco Products (CVSS:  9.8) 

 

Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.

 

View solution in original post

7 Replies 7

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎03-31-2022 11:09 PM

This news just broke around 24-hours ago.  Give everyone some time to digest and investigate.

Ask again on Monday.

0 Helpful

Go to solution
Priyank Agrawal
Cisco Employee
Cisco Employee

‎04-01-2022 06:33 AM

Cisco is aware of the vulnerability "CVE-2022-22963: Spring Expression Resource Access Vulnerability". We are following our well-established process to investigate all aspects of the issue. If something is found that our customers need to be aware of and respond to, we will communicate via our established disclosure process.

Go to solution
ygao
Level 1
Level 1
In response to Priyank Agrawal

‎04-01-2022 08:21 AM

What about cve-2022-22965? Any cisco product got affected? Thanks. 

0 Helpful

Go to solution
Priyank Agrawal
Cisco Employee
Cisco Employee
In response to ygao

‎04-01-2022 09:01 AM

Cisco is aware of the vulnerability identified by CVE ID CVE-2022-22965 and with the title "Spring Framework RCE via Data Binding on JDK 9+". We are following our well-established process to investigate all aspects of the issue. If something is found that our customers need to be aware of and respond to, we will communicate via our established disclosure process.

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎04-03-2022 04:12 PM

Vulnerability in Spring Framework Affecting Cisco Products (CVSS:  9.8) 

Vulnerability in Spring Cloud Function Framework Affecting Cisco Products (CVSS:  9.8) 

 

Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.

 

Go to solution
ChrisB-IP
Level 1
Level 1
In response to Leo Laohoo

‎04-03-2022 04:36 PM

Excellent, thanks

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to ChrisB-IP

‎04-07-2022 01:01 AM

@ChrisB-IP wrote:

Excellent, thanks

Not so fast.  VMWare just released a few more:  VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities.

 

CVSS Score:  9.8

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card