Is Foglight affected by CVE-2022-22965 (Spring Core Framework Remote Code Execution Vulnerability)?
Spring is a Java framework and is probably used in some form in most Java-based applications.
This external vulnerability report from the VMWare website provides more information on this vulnerability: https://tanzu.vmware.com/security/cve-2022-22965
Quest R&D has concluded their analysis of Foglight and has found that the Spring4Shell vulnerability does not affect Foglight customers because Foglight is on Java 8, and the vulnerability requires an application to be running Java 9.
Quest plans to upgrade the Spring Framework used in Foglight to a newer version, 5.3.18 or higher, as part of Foglight version 6.3.1 which is targeted for Q3 (later in 2022).
Code vulnerability scanners can detect the version of Spring being used. Users will not be able to identify the version easily because the version is not in the file name.
Users can view the version on the “Legal Notices” tab of the “About” screen.
In the top right corner menu, select About from the pulldown menu
Choose the Legal Notices tab from the popup
Scroll down to Spring Framework