"Spring4Shell" - RCE Vulnerabilities in Spring Framework and Spring Cloud Function
Priority: ● High
Status: In Progress - Monitoring
First Published: 1 April 2022
Last Updated: 4 August 2022
Advisory Version: 2.7
References: CVE-2022-22965, CVE-2022-22963, CVE-2022-22950
Summary
Vulnerabilities affecting certain versions of the Spring Framework for Java (CVE-2022-22965, CVE-2022-22950) and Spring Cloud Function (CVE-2022-22963) were recently disclosed. These vulnerabilities, collectively referred to as "Spring4Shell", could allow an attacker to remotely execute code on an affected system.
Exposure to CVE-2022-22965 requires the following:
* JDK 9 or higher
* Apache Tomcat as the Servlet container.
* Packaged as a traditional WAR (in contrast to a Spring Boot executable jar).
* spring-webmvc or spring-webflux dependency.
* Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.
CVE-2022-22963 affects versions 3.1.6 (or older) and 3.2.2 (or older) of Spring Cloud Function. CVE-2022-22963 has been mitigated in Spring Cloud Function versions 3.1.7 and 3.2.3.
CVE-2022-22950 affects Spring Framework versions 5.3.0 - 5.3.16, 5.2.0 - 5.2.19, and older, unsupported versions.
Additional information about CVE-2022-22965 may be found here (Spring Blog).
Additional information about CVE-2022-22963 may be found here (VMware).
Additional information about CVE-2022-22950 may be found here (VMware).
Affected Products
Vulnerable Products
Hitachi Vantara is currently investigating its product lines to determine if any are affected by this vulnerability. If any products or solutions are found to be impacted, they will be indicated in this section, in subsequent updates to this advisory, along with information regarding mitigations or fixed release versions (if such information is available at the time). Likewise, any products or solutions that have been confirmed not to be affected by the given vulnerability will be listed in the section below.
NOTE: If cited, product documentation, including product-specific Alerts and Technical Bulletins, are available to Hitachi Vantara customers logged into Support Connect.
| Product | Notes / Fixed Release Version |
| Software Products |
| Hitachi Device Manager (HDvM) Server |
CVE-2022-22965: HDvM (Server) v8.8.3 or later is affected. Versions of HDvM (Server) prior to v8.8.3 do not meet the conditions of occurrence for CVE-2022-22965 CVE-2022-22963: Not affected. Spring Cloud Function is not used. CVE-2022-22950: Not affected. SpEL (Spring Expression Language) is not used. |
| Hitachi Replication Manager (HRpM) | CVE-2022-22965: HRpM v8.8.3 or later is affected. Versions of HRpM prior to v8.8.3 do not meet the conditions of occurrence for CVE-2022-22965 CVE-2022-22963: Not affected. Spring Cloud Function is not used. CVE-2022-22950: Not affected. SpEL (Spring Expression Language) is not used. |
| Hitachi Tiered Storage Manager (HTSM) |
CVE-2022-22965: HTSM v8.8.3 or later is affected. Versions of HTSM prior to v8.8.3 do not meet the conditions of occurrence for CVE-2022-22965 CVE-2022-22963: Not affected. Spring Cloud Function is not used. CVE-2022-22950: Not affected. SpEL (Spring Expression Language) is not used. |
| Hitachi Global Link Manager (HGLM) |
CVE-2022-22965: HGLM v8.8.3 or later is affected. Versions of HGLM prior to v8.8.3 do not meet the conditions of occurrence for CVE-2022-22965 CVE-2022-22963: Not affected. Spring Cloud Function is not used. CVE-2022-22950: Not affected. SpEL (Spring Expression Language) is not used. |
Products Confirmed Not Vulnerable
* As this is an ongoing investigation across all Hitachi Vantara product lines, please note that products may be reclassified as vulnerable as they continue to be evaluated for risk.
| Product | Notes / Fixed Release Version |
| Storage Systems |
| Hitachi Virtual Storage Platform VSP E990, VSP E790, VSP E590 | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Hitachi Virtual Storage Platform VSP G130, F/G350, VSP F/G370, VSP F/G700, VSP F/G900 | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Hitachi Virtual Storage Platform VSP G200, VSP F/G/N400, VSP F/G/N600, VSP F/G/N800 | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Hitachi Virtual Storage Platform VSP 5100, VSP 5100H, VSP 5500, VSP 5500H (VSP 5x00) RAID 900 |
· CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Hitachi Virtual Storage Platform VSP 5200, VSP 5200H, VSP 5600, VSP 5600H (VSP 5x00) RAID 900 |
· CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Hitachi Virtual Storage Platform G1000, F/G1500 (VSP F/G1x00) RAID 800 |
· CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Hitachi Virtual Storage Platform (VSP) RAID 700 | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Hitachi Unified Storage VM (HUS VM) HM700 | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Hitachi Adaptable Modular Storage DF800S, DF800M, DF800H (AMS 2x00) | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Hitachi Unified Storage DF850XS, DF850S, DF850MH (HUS 1x0) | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Network Attached Storage |
| HNAS 5000 Series | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| HNAS 4000 Series | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| HNAS 30x0 Series | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Virtual Storage Platform Gx00/Fx00 NAS Modules | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Virtual Storage Platform Nx00 NAS Modules | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| SMU | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| HDRS (Hitachi Disaster Recovery Solution) | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Content Products |
| Content Platform |
· CVE-2022-22965: Not affected. Conditions for occurrence not met. |
| Content Platform S Series |
· CVE-2022-22965: Not affected. Spring Framework is not used |
| Content Platform Anywhere (all versions) |
· CVE-2022-22965: Not affected. Conditions for occurrence not met. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. |
| Content Platform Gateway | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Hitachi Content Software for File (HCSF) | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Content Intelligence | · CVE-2022-22965: Not affected. Conditions for occurrence not met. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. |
| HCP for Cloud Scale | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Hitachi Data Ingestor (HDI/HFSM) |
· CVE-2022-22965: Not affected. Spring Framework is not used. |
| Data Protector | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Software Products |
| Hitachi Remote Ops (HRO) | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Hitachi Remote Access Control Center (RACC) | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Hitachi Ops Center Administrator (formerly HSA) |
· CVE-2022-22965: Not affected. Conditions for occurrence not met. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. |
| Hitachi Ops Center Analyzer (Detail View), Analyzer (Probe) |
· CVE-2022-22965: Not affected. Conditions for occurrence not met. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. SpEL (Spring Expression Language) is not used. |
| Hitachi Ops Center Analyzer (HIAA), Analyzer (Viewport), Analyzer (RAID Agent) |
· CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. SpEL (Spring Expression Language) is not used. |
| Hitachi Ops Center Automator |
· CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. SpEL (Spring Expression Language) is not used. |
| Hitachi Ops Center Protector |
· CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. SpEL (Spring Expression Language) is not used. |
| Hitachi Device Manager (HDvM) Agent |
· CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. SpEL (Spring Expression Language) is not used. |
| Hitachi Tuning Manager (HTnM) Server and Agent |
· CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. SpEL (Spring Expression Language) is not used. |
| Hitachi Dynamic Link Manager (HDLM) | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. SpEL (Spring Expression Language) is not used. |
| Hitachi Compute Systems Manager (HCSM) | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. SpEL (Spring Expression Language) is not used. |
| Hitachi Infrastructure Analytics Advisor (HIAA) Server, Viewport, and RAID Agent |
· CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Hitachi Automation Director (HAD) | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Hitachi Configuration Manager (HCM) REST API |
· CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Hitachi Advanced Reporter | · CVE-2022-22965: Not affected. Conditions for occurrence not met. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. |
| UCP Advisor | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
| Storage Navigator Modular 2 (SNM2) | · CVE-2022-22965: Not affected. Spring Framework is not used. · CVE-2022-22963: Not affected. Spring Cloud Function is not used. · CVE-2022-22950: Not affected. Spring Framework is not used. |
Recommended Actions
Please continue to check this Security Advisory, as new information will be added to it as it becomes available.
If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.
The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.