VMWare has issued a warning that it has products that contain vulnerabilities in Spring4Shell, which were first discovered last week, while other vendors are investigating their offers.
Last week, the SANS Internet Storm Center first saw exploit code appear on their honeypot systems, for a bug in the Spring Framework for Java, indicating that attackers were scanning for vulnerable systems.
The Spring project has released patched versions of its software.
The VMWare advisory identifies three products that use the Spring Framework: the Tanzu Application Service for VMs, Tanzu Operations Manager, and Tanzu Kubernetes Grid Integrated Edition (TKGI).
The company says the products can attack the network, “to gain full control over the target system”.
The versions affected are Tanzu Application Service for VM versions 2.8 to 2.13, Tanzu Operations Manager 2.8 to 2.10, and TKGI 1.12 and 1.13.
Fixed versions have been released for Tanzu Application Service for VMs and Operations Managers, but the patch is still pending for TKGI.
Last week, the Computer Emergency Response Team at Carnegie-Mellon warned that Spring4Shell could lead to remote code execution.
“By providing generated data to a Spring Java application, such as a web application, an attacker may be able to execute arbitrary code with the privileges of the affected application,” the CERT advisory said.
“Depending on the application, exploitation may be possible by a remote attacker without the need for authentication.”
According to NCSC-NL of the Netherlands, only VMWare, PTC (on WindChill and its products), and Jamf have confirmed that they have products that inherit vulnerabilities.
However, dozens of products from other vendors, including Fortinet, Jenkins, Pulse Secure, Veritas, Kofax, Alphatron Medical, Servicenow, Solarwinds, and PagerDuty remain under investigation.
Cisco has released two pointers (here and here) detailing its investigations into Spring4Shell. At the time of writing, no Cisco products have been identified as weak.