-
Title
Foglight and CVE-2022-22965 (Spring Core Framework Remote Code Execution Vulnerability) -
Description
Is Foglight affected by CVE-2022-22965 (Spring Core Framework Remote Code Execution Vulnerability)?
-
Cause
Spring is a Java framework and is probably used in some form in most Java-based applications.
This external vulnerability report from the VMWare website provides more information on this vulnerability: https://tanzu.vmware.com/security/cve-2022-22965
-
Resolution
STATUS
Quest R&D has concluded their analysis of Foglight and has found that the Spring4Shell vulnerability does not affect Foglight customers because Foglight is on Java 8, and the vulnerability requires an application to be running Java 9.
NEXT STEPS
Quest plans to upgrade the Spring Framework used in Foglight to a newer version, 5.3.18 or higher, as part of Foglight version 6.3.
-
Defect ID
FOG-1166 -
Additional Information
Code vulnerability scanners can detect the version of Spring being used. Users will not be able to identify the version easily because the version is not in the file name.
Users can view the version on the “Legal Notices” tab of the “About” screen.
In the top right corner menu, select About from the pulldown menu
Choose the Legal Notices tab from the popup
Scroll down to Spring Framework
