Summary

• On March 31, 2022, the following critical vulnerability in the Spring Framework affecting Spring MVC and Spring WebFlux applications running on JDK 9+ was released:

  CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

  For a description of this vulnerability, see VMware Spring Framework Security Vulnerability Report.

  This advisory is available at the following link:
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67

Affected Products

• Cisco investigated its product line to determine which products may be affected by this vulnerability.

  The Vulnerable Products section includes Cisco bug IDs for each affected product. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases.

  Any product not listed in the Affected Products section of this advisory is to be considered not vulnerable.

  Vulnerable Products

  Cisco investigated its product line to determine which products may be affected by this vulnerability.

  The following table lists Cisco products that are affected by the vulnerability that is described in this advisory. If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. Customers should refer to the associated Cisco bug(s) for further details.

  Product	Cisco Bug ID	Fixed Release Availability
  Endpoint Clients and Client Software
  Cisco CX Cloud Agent Software	CSCwb41735	2.0 (Available)
  Network Management and Provisioning
  Cisco Automated Subsea Tuning	CSCwb43658	2.1.0 (31 May 2022)
  Cisco Crosswork Network Controller	CSCwb43703	3.0.2 (Available) 2.0.2 (Available)
  Cisco Crosswork Optimization Engine	CSCwb43709	3.1.1 (Available) 2.1.1 (Available)
  Cisco Crosswork Zero Touch Provisioning (ZTP)	CSCwb43706	3.0.2 (Available) 2.0.2 (Available)
  Cisco DNA Center	CSCwb43650	2.3.3.3 (17 Jun 2022) 2.2.3.6 (6 Jun 2022) 2.2.2.9 (6 Jun 2022)
  Cisco Evolved Programmable Network Manager	CSCwb43643	6.0.1.1 (Available) 5.1.4.1 (Available) 5.0.2.3 (Available)
  Cisco Managed Services Accelerator (MSX)	CSCwb43667	4.2.3 (Available)
  Cisco Optical Network Planner	CSCwb43691	4.2 (31 May 2022) 5.0 (30 Aug 2022)
  Cisco WAN Automation Engine (WAE) Live	CSCwb43708	7.5.2.1 (Available) 7.4.0.2 (Available) 7.3.0.3 (Available)
  Cisco WAN Automation Engine (WAE)	CSCwb43708	7.5.2.1 (Available) 7.4.0.2 (Available) 7.3.0.3 (Available)
  Data Center Network Manager (DCNM)	CSCwb43637	11.5.4 (Available)
  Nexus Dashboard Fabric Controller (NDFC)	CSCwb43637	12.1.1 (30 Jun 2022)
  Routing and Switching - Enterprise and Service Provider
  Cisco Optical Network Controller	CSCwb43692	2.0 (31 May 2022)
  Cisco Software-Defined AVC (SD-AVC)	CSCwb43727	4.3.1 (30 July 2022) 4.4.0 (30 Nov 2022)
  Voice and Unified Communications Devices
  Cisco Enterprise Chat and Email	CSCwb45202	11.6 - Not vulnerable. 12.0 (6 Jun 2022) 12.5 (6 Jun 2022) 12.6 ES2 (6 Jun 2022)
  Video, Streaming, TelePresence, and Transcoding Devices
  Cisco Meeting Server	CSCwb43662	3.5.0 (Available) 3.4.2 (31 May 2022) 3.3.3 (17 Jun 2022)

  Products Confirmed Not Vulnerable

  Cisco investigated its product line to determine which products may be affected by this vulnerability.

  Any product not listed in the Affected Products section of this advisory is to be considered not vulnerable.

  Cisco has confirmed that this vulnerability does not affect the following Cisco products:

  Cable Devices

  • Cisco Continuous Deployment and Automation Framework
  • Cisco Prime Cable Provisioning

  Collaboration and Social Media

  • Cisco SocialMiner
  • Cisco Webex App, formerly Cisco Webex Teams
  • Cisco Webex Meetings Server

  Network Application, Service, and Acceleration

  • Cisco Wide Area Application Services (WAAS)

  Network and Content Security Devices

  • Cisco Adaptive Security Appliance (ASA) Software
  • Cisco Firepower Device Manager (FDM)
  • Cisco Firepower Management Center (FMC) Software
  • Cisco Firepower System Software
  • Cisco Identity Services Engine (ISE)
  • Cisco Secure Email Gateway, formerly Email Security Appliance (ESA)
  • Cisco Secure Email and Web Manager, formerly Cisco Content Security Management Appliance (SMA)
  • Cisco Secure Network Analytics, formerly Cisco Stealthwatch
  • Cisco Security Manager
  • Cisco Umbrella Active Directory (AD) Connector
  • Cisco Umbrella Roaming Clients
  • Cisco Umbrella Virtual Appliance

  Network Management and Provisioning

  • Cisco Application Policy Infrastructure Controller (APIC)
  • Cisco Business Process Automation
  • Cisco CloudCenter Action Orchestrator
  • Cisco CloudCenter Cost Optimizer
  • Cisco CloudCenter Suite Admin
  • Cisco CloudCenter Workload Manager
  • Cisco CloudCenter
  • Cisco Collaboration Audit and Assessments
  • Cisco Common Services Platform Collector (CSPC)
  • Cisco Connected Mobile Experiences
  • Cisco Connected Pharma
  • Cisco Crosswork Change Automation
  • Cisco Crosswork Data Gateway
  • Cisco Crosswork Network Automation
  • Cisco Crosswork Situation Manager
  • Cisco Elastic Services Controller (ESC)
  • Cisco Extensible Network Controller (XNC)
  • Cisco Intelligent Node (iNode) Manager
  • Cisco IoT Field Network Director, formerly Cisco Connected Grid Network Management System
  • Cisco NCS 2000 Shelf Virtualization Orchestrator (SVO)
  • Cisco Network Change and Configuration Management
  • Cisco Network Insights for Data Center
  • Cisco Nexus Dashboard Data Broker, formerly Cisco Nexus Data Broker
  • Cisco Nexus Dashboard, formerly Cisco Application Services Engine
  • Cisco Nexus Insights
  • Cisco Policy Suite for Mobile
  • Cisco Policy Suite
  • Cisco Prime Performance Manager
  • Cisco Smart PHY
  • Cisco ThousandEyes Endpoint Agent
  • Cisco ThousandEyes Enterprise Agent
  • Cisco Virtual Topology System - Virtual Topology Controller (VTC) VM

  Routing and Switching - Enterprise and Service Provider

  • Cisco ACI HTML5 vCenter Plug-in
  • Cisco ASR 5000 Series Routers
  • Cisco Enterprise NFV Infrastructure Software (NFVIS)
  • Cisco GGSN Gateway GPRS Support Node
  • Cisco IOx Fog Director
  • Cisco IP Services Gateway (IPSG)
  • Cisco MME Mobility Management Entity
  • Cisco Mobility Unified Reporting and Analytics System
  • Cisco Network Convergence System 2000 Series
  • Cisco ONS 15454 Series Multiservice Provisioning Platforms
  • Cisco PDSN/HA Packet Data Serving Node and Home Agent
  • Cisco PGW Packet Data Network Gateway
  • Cisco SD-WAN vManage
  • Cisco System Architecture Evolution Gateway (SAEGW)
  • Cisco Ultra Packet Core
  • Cisco Ultra Services Platform

  Routing and Switching - Small Business

  • Cisco Business Dashboard

  Unified Computing

  • Cisco HyperFlex

  Voice and Unified Communications Devices

  • Cisco BroadWorks
  • Cisco Cloud Connect
  • Cisco Emergency Responder
  • Cisco Packaged Contact Center Enterprise
  • Cisco Unified Attendant Console Advanced
  • Cisco Unified Attendant Console Business Edition
  • Cisco Unified Attendant Console Department Edition
  • Cisco Unified Attendant Console Enterprise Edition
  • Cisco Unified Attendant Console Premium Edition
  • Cisco Unified Communications Manager IM & Presence Service
  • Cisco Unified Communications Manager Session Management Edition
  • Cisco Unified Communications Manager
  • Cisco Unified Contact Center Enterprise
  • Cisco Unified Contact Center Express
  • Cisco Unified Customer Voice Portal
  • Cisco Unified Intelligence Center
  • Cisco Unity Connection
  • Cisco Virtualized Voice Browser

  Video, Streaming, TelePresence, and Transcoding Devices

  • Cisco Expressway Series
  • Cisco TelePresence Integrator C Series
  • Cisco TelePresence MX Series
  • Cisco TelePresence Management Suite Provisioning Extensions
  • Cisco TelePresence Management Suite
  • Cisco TelePresence Precision Cameras
  • Cisco TelePresence Profile Series
  • Cisco TelePresence SX Series
  • Cisco TelePresence System EX Series
  • Cisco TelePresence Video Communication Server (VCS)
  • Cisco Touch
  • Cisco Video Surveillance Operations Manager
  • Cisco Vision Dynamic Signage Director
  • Cisco Webex Board Series
  • Cisco Webex Desk Series
  • Cisco Webex Room Navigator
  • Cisco Webex Room Series

  Wireless

  • Cisco Ultra Cloud Core - Access and Mobility Management Function
  • Cisco Ultra Cloud Core - Network Repository Function
  • Cisco Ultra Cloud Core - Policy Control Function
  • Cisco Ultra Cloud Core - Redundancy Configuration Manager
  • Cisco Ultra Cloud Core - Session Management Function
  • Cisco Ultra Cloud Core - Subscriber Microservices Infrastructure

  Cisco Cloud Hosted Services

  • Cisco BroadCloud
  • Cisco Industrial Asset Vision
  • Cisco IoT Control Center
  • Cisco IoT Operations Dashboard (IOTOC)
  • Cisco Kinetic for Cities
  • Cisco Registered Envelope Service
  • Cisco Smart Collector - Lifecycle Management
  • Cisco Umbrella
  • Cisco Unified Communications Manager Cloud
  • Cisco Webex Cloud-Connected UC (CCUC)

Workarounds

• Any workarounds will be documented in the product-specific Cisco bugs, which are identified in the Vulnerable Products section of this advisory.

Fixed Software

• For information about fixed software releases, consult the Cisco bugs identified in the Vulnerable Products section of this advisory.

  When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.

Source

• This vulnerability was publicly disclosed by VMware on March 31, 2022.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67

Revision History

• Version	Description	Section	Status	Date
  1.13	Updated products confirmed not vulnerable.	Affected Products	Final	2023-FEB-09
  1.12	Updated Fixed Releases information.	Vulnerable Products	Final	2022-JUN-01
  1.11	Updated vulnerable products and products confirmed not vulnerable.	Affected Products	Final	2022-APR-29
  1.10	Updated the products under investigation, vulnerable products, and products confirmed not vulnerable.	Affected Products	Interim	2022-APR-26
  1.9	Updated the products under investigation, vulnerable products, and products confirmed not vulnerable.	Affected Products	Interim	2022-APR-21
  1.8	Updated the products under investigation, vulnerable products, and products confirmed not vulnerable.	Affected Products	Interim	2022-APR-14
  1.7	Updated the products under investigation, vulnerable products, and products confirmed not vulnerable.	Affected Products	Interim	2022-APR-13
  1.6	Updated the products under investigation, vulnerable products, and products confirmed not vulnerable.	Affected Products	Interim	2022-APR-12
  1.5	Updated the products under investigation, vulnerable products, and products confirmed not vulnerable.	Affected Products	Interim	2022-APR-11
  1.4	Updated the products under investigation, vulnerable products, and products confirmed not vulnerable.	Affected Products	Interim	2022-APR-07
  1.3	Updated the products under investigation, vulnerable products, and products confirmed not vulnerable.	Affected Products	Interim	2022-APR-06
  1.2	Updated the products under investigation, vulnerable products, and products confirmed not vulnerable.	Affected Products	Interim	2022-APR-05
  1.1	Updated the products under investigation, vulnerable products, and products confirmed not vulnerable.	Affected Products	Interim	2022-APR-04
  1.0	Initial public release.	-	Interim	2022-APR-01

  Show Less