Bug 1197879 (CVE-2022-22965)

Summary: VUL-0: CVE-2022-22965: spring framework rce
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: uemit.arslan
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/327748/
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2022-03-31 13:58:01 UTC
Here are official announcements regarding the Spring Framework RCE:                                                                                                                          
- https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement                                                                                                                  
- https://tanzu.vmware.com/security/cve-2022-22965
Comment 1 Marcus Meissner 2022-03-31 14:00:44 UTC
see also bug 1197879
Comment 2 Marcus Meissner 2022-03-31 14:51:26 UTC
We are currently investigating if SUSE / openSUSE contains spring core, but we have so far not found anything.
Comment 3 Marcus Meissner 2022-04-04 09:27:14 UTC
SUSE does not include the Spring framework in its products.