VMware sprung by Spring4shell vulnerability

VMware has issued a warning that it has products that contain the Spring4Shell vulnerability, first discovered last week, while other vendors are investigating their offerings.

Late last week, the SANS Internet Storm Centre first saw exploit code appear on their honeypot systems, for the bug in the Spring Framework for Java, indicating that attackers are scanning for vulnerable systems.

The Spring project has released patched versions of its software.

VMware’s advisory identifies three products that use the Spring Framework: its Tanzu Application Service for VMs, Tanzu Operations Manager, and Tanzu Kubernetes Grid Integrated Edition (TKGI).

The company says the products can be attacked over the network, “to gain full control of the target system”.

Versions affected are Tanzu Application Service for VMs versions 2.8 through to 2.13, Tanzu Operations Manager 2.8 to 2.10, and TKGI 1.12 and 1.13. 

Fixed versions have been released for Tanzu Application Service for VMs and Operations Manager, but the patch is still pending for TKGI.

Last week, the Computer Emergency Response Team at Carnegie-Mellon warned that Spring4Shell could lead to remote code execution.

“By providing crafted data to a Spring Java application, such as a web application, an attacker may be able to execute arbitrary code with the privileges of the affected application,” the CERT advisory stated. 

“Depending on the application, exploitation may be possible by a remote attacker without requiring authentication.”

According to the Netherlands’ NCSC-NL, only VMware, PTC (in its WindChill and products), and Jamf have confirmed they have products which inherit the vulnerability. 

Jamf's chief information security officer Aaron Kiemele said it is continuing "to investigate the impact of Spring4Shell has on our products."

"In the short time since this vulnerability was identified, we have not been able to identify a clean path to direct exploitation within Jamf products," Kiemele said in a statement.

"We released patches to address the vulnerability on [April 1] to ensure the safety of our customers."

However, dozens of products from other vendors, including Fortinet, Jenkins, Pulse Secure, Veritas, Kofax, Alphatron Medical, Servicenow, Solarwinds, and PagerDuty remain under investigation.

Cisco has issued two advisories (here and here) detailing its Spring4Shell investigations. At the time of writing, no Cisco products were identified as vulnerable.

Story was updated 5/4 at 2.45pm to include a statement from Jamf.