Are currently supported versions of Foglight affected by CVE-2022-22950 vulnerability in Spring Framework?
Vulnerability scan identified CVE-2022-22950 in Foglight files due to Spring Framework version 4.3.29:
$FMS_HOME/server/core/spring-beans.jar:META-INF/MANIFEST.MF
Manifest-Version: 1.0
Implementation-Title: spring-beans
Implementation-Version: 4.3.29.RELEASE
Created-By: 1.8.0_232 (Oracle Corporation)
Quest R&D determined that Foglight installations versions 6.1.0 and below may be affected by this vulnerability, but only considered to be a Denial of Service (DoS) vulnerability that may not lead to information being compromised or a remote code execution (RCE).
An attacker might be able to specify an expression in the Spring configuration that could try to create a list with an unbounded length, which can lead to an Out Of Memory condition in Foglight.
Exploiting this vulnerability would require the attacker to access the Foglight Management Server (FMS) installation in order to provide that configuration, so the exploit may not be applicable to Foglight if the installation remains secure.
STATUS
Quest has upgraded the Spring Framework used in Foglight to a newer version, 5.3.18 or higher, as part of Foglight version 6.3.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center