Spring4Shell and CVE-2022-22963 vulnerabilities

Spring4Shell and CVE-2022-22963 vulnerabilities

Summary

Two distinct spring project vulnerabilities where released recently with critical CVSS score and classified as zero-Day attacks.
The two vulnerabilities are currently known as :
Spring4Shell:
There is currently no fix available for the Spring4Shell vulnerability. However we know that it affects
products using the spring framework with a JDK 9 or above.
https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html?fbclid=IwAR2fXxKQjG9vnJiOaXyZ1N_Ypx91TOzO6f48qGZRfKRzinYtD5nUCIptIjg&m=1
CVE-2022-22963:
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing
functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that
may result in access to local resources.
https://tanzu.vmware.com/security/cve-2022-22963
 

Affected Products

The following products are currently under investigation:
FortiPortal
FortiCASB
FortiAnalyzer-BigData
FortiEDR
FortiSOAR
FortiEdge
FortiAIOps
FortiLANCloud
FortiPolicy
The following products are NOT impacted.
FortiOS
FortiManager
FortiAnalyzer
FortiIsolator
FortiMail
FortiNDR
FortiClientWindows
FortiClientLinux
FortiClientMac
FortiClientEMS
FortiClientAndroid
FortiADC
FortiAuthenticator
FortiAP
FortiAP-C
FortiAP-S
FortiAP-U
FortiAP-W2
FortiDeceptor
FortiDDoS
FortiDDoS-F
FortiExtender
FortiRecorder
FortiSandbox
FortiSIEM
FortiTester
FortiSwitch
FortiVoiceEnterprise
FortiWeb
FortiWLC
FortiWLM
Forticonnect
FortiConverter
FortiInsight
FortiPentest
FortiPlanner
FortiPresence
FortiAPCloud
FortiNAC