Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulnerability in Spring Framework Affecting Cisco Products: March 2022

Related Vulnerabilities: CVE-2022-22965  

On March 31, 2022, the following critical vulnerability in the Spring Framework affecting Spring MVC and Spring WebFlux applications running on JDK 9+ was released: CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ For a description of this vulnerability, see VMware Spring Framework Security Vulnerability Report. This advisory will be updated as additional information becomes available. This advisory is available at the following link:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67

Source

Summary

Affected Products

  • Cisco is investigating its product line to determine which products may be affected by this vulnerability. As the investigation progresses, Cisco will update this advisory with information about affected products.

    The Vulnerable Products section will include Cisco bug IDs for each affected product. The bugs will be accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases.

    Any product not listed in the Products Under Investigation or Vulnerable Products section of this advisory is to be considered not vulnerable. Because this is an ongoing investigation, be aware that products that are currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available.

    Products Under Investigation

    The following products are under active investigation to determine whether they are affected by the vulnerability that is described in this advisory.

    Cable Devices

    • Cisco Continuous Deployment and Automation Framework
    • Cisco Prime Cable Provisioning
    • Cisco Ultra Cloud Core - Network Repository Function

    Collaboration and Social Media

    • Cisco SocialMiner
    • Cisco Webex App, formerly Cisco Webex Teams

    Endpoint Clients and Client Software

    • Cisco CX Cloud Agent Software

    Network Application, Service, and Acceleration

    • Cisco Extensible Network Controller (XNC)
    • Cisco Nexus Dashboard Data Broker, formerly Cisco Nexus Data Broker
    • Cisco Nexus Insights
    • Cisco Wide Area Application Services (WAAS)

    Network and Content Security Devices

    • Cisco Adaptive Security Appliance (ASA)
    • Cisco Firepower Device Manager (FDM)
    • Cisco Firepower Management Center (FMC)
    • Cisco Firepower System Software
    • Cisco Secure Network Analytics, formerly Cisco Stealthwatch Enterprise
    • Cisco Security Manager

    Network Management and Provisioning

    • Cisco Application Policy Infrastructure Controller (APIC)
    • Cisco Automated Subsea Tuning
    • Cisco CloudCenter Action Orchestrator
    • Cisco CloudCenter Suite Admin
    • Cisco CloudCenter Workload Manager
    • Cisco Collaboration Audit and Assessments
    • Cisco Common Services Platform Collector (CSPC)
    • Cisco Connected Pharma
    • Cisco Crosswork Change Automation
    • Cisco Crosswork Data Gateway
    • Cisco Crosswork Network Automation
    • Cisco Crosswork Network Controller
    • Cisco Crosswork Optimization Engine
    • Cisco Crosswork Situation Manager
    • Cisco Crosswork Zero Touch Provisioning (ZTP)
    • Cisco DNA Assurance
    • Cisco Data Center Network Manager (DCNM)
    • Cisco Edge Intelligence
    • Cisco Elastic Services Controller (ESC)
    • Cisco Evolved Programmable Network Manager
    • Cisco Intelligent Node (iNode) Manager
    • Cisco IoT Field Network Director, formerly Cisco Connected Grid Network Management System
    • Cisco Nexus Dashboard, formerly Cisco Application Services Engine
    • Cisco Optical Network Planner
    • Cisco Policy Suite
    • Cisco Prime Network Change and Configuration Management
    • Cisco Prime Performance Manager
    • Cisco Smart PHY
    • Cisco Smart Software Manager
    • Cisco Virtual Topology System - Virtual Topology Controller (VTC) VM
    • Cisco WAN Automation Engine (WAE)

    Routing and Switching - Enterprise and Service Provider

    • Cisco ASR 5000 Series Routers
    • Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM)
    • Cisco DNA Center
    • Cisco Enterprise NFV Infrastructure Software (NFVIS)
    • Cisco GGSN Gateway GPRS Support Node
    • Cisco IOx Fog Director
    • Cisco IP Services Gateway (IPSG)
    • Cisco MME Mobility Management Entity
    • Cisco Mobility Unified Reporting and Analytics System
    • Cisco Network Assurance Engine
    • Cisco Network Convergence System 2000 Series
    • Cisco ONS 15454 Series Multiservice Provisioning Platforms
    • Cisco Optical Network Controller
    • Cisco PDSN/HA Packet Data Serving Node and Home Agent
    • Cisco PGW Packet Data Network Gateway
    • Cisco SD-WAN vManage
    • Cisco System Architecture Evolution Gateway (SAEGW)
    • Cisco Ultra Cloud Core - Access and Mobility Management Function
    • Cisco Ultra Cloud Core - Policy Control Function
    • Cisco Ultra Cloud Core - Session Management Function
    • Cisco Ultra Cloud Core - Subscriber Microservices Infrastructure
    • Cisco Ultra Packet Core
    • Cisco Ultra Services Platform

    Routing and Switching - Small Business

    • Cisco Business Dashboard

    Unified Computing

    • Cisco HyperFlex HX Data Platform

    Voice and Unified Communications Devices

    • Cisco BroadCloud for Carriers
    • Cisco BroadWorks
    • Cisco Cloud Connect
    • Cisco Emergency Responder
    • Cisco Unified Attendant Console Advanced
    • Cisco Unified Attendant Console Business Edition
    • Cisco Unified Attendant Console Department Edition
    • Cisco Unified Attendant Console Enterprise Edition
    • Cisco Unified Attendant Console Premium Edition
    • Cisco Unified Communications Manager/Cisco Unified Communications Manager Session Management Edition
    • Cisco Unified Communications Manager IM & Presence Service
    • Cisco Unified Contact Center Express
    • Cisco Unified Customer Voice Portal
    • Cisco Unified Intelligence Center
    • Cisco Unity Connection
    • Cisco Virtualized Voice Browser
    • Cisco Webex Board, formerly Cisco Spark Board

    Video, Streaming, TelePresence, and Transcoding Devices

    • Cisco Meeting Server
    • Cisco Video Surveillance Operations Manager
    • Cisco Vision Dynamic Signage Director

    Cisco Cloud Hosted Services

    • Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC)
    • Cisco Cloud Email Security
    • Cisco Cognitive Intelligence
    • Cisco DNA Center Cloud
    • Cisco Intersight
    • Cisco IoT Control Center
    • Cisco Kinetic for Cities
    • Cisco Managed Services Accelerator (MSX)
    • Cisco Registered Envelope Service
    • Cisco Smart Collector - Lifecycle Management
    • Cisco Umbrella
    • Cisco Unified Communications Manager Cloud
    • Cisco Webex Centers - Meeting Center, Training Center, Event Center, Support Center
    • Cisco Webex Events
    • Cisco Webex Meeting Server - Multimedia Platform

    Vulnerable Products

    Cisco is investigating its product line to determine which products may be affected by this vulnerability. This section will be updated as information is available.

    No products have been identified as vulnerable.

    Products Confirmed Not Vulnerable

    Cisco is investigating its product line to determine which products may be affected by this vulnerability. This section will be updated as information becomes available.

    Any product not listed in the Products Under Investigation or Vulnerable Products section of this advisory is to be considered not vulnerable. Because this is an ongoing investigation, be aware that products that are currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available.

    Cisco has confirmed that this vulnerability does not affect the following Cisco products:

    Network and Content Security Devices

    • Cisco Identity Services Engine (ISE)

Workarounds

  • There are no workarounds that address this vulnerability.

Fixed Software

  • For information about fixed software releases, consult the Cisco bugs identified in the Vulnerable Products section of this advisory.

    When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Exploitation and Public Announcements

  • The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.

Source

  • This vulnerability was publicly disclosed by VMware on March 31, 2022.

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

Action Links for This Advisory

URL

Revision History

  • Version Description Section Status Date
    1.0 Initial public release. - Interim 2022-APR-01

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started