A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

The version of tomcat installed on the remote host is prior to 9.0.65-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2TOMCAT9-2023-004 advisory.

  - A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution     (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR     deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not     vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be     other ways to exploit it. (CVE-2022-22965)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of tomcat installed on the remote host is prior to 8.5.79-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT8.5-2023-005 advisory.

  - A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution     (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR     deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not     vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be     other ways to exploit it. (CVE-2022-22965)

  - The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and     8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an     untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and     integrity protection, it does not protect against all risks associated with running over any untrusted     network, particularly DoS risks. (CVE-2022-29885)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The 5.9.0.0.0 and All Supported Versions versions of Oracle Business Intelligence Enterprise Edition (OAS) installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2022 CPU advisory.

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware     (component: Service Administration UI (JQuery)). The supported version that is affected is 5.9.0.0.0.
    Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction     from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence     Enterprise Edition, attacks may significantly impact additional products (scope change). Successful     attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle     Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset     of Oracle Business Intelligence Enterprise Edition accessible data. (CVE-2020-11023)

  - Security-in-Depth issue in the Oracle BI Publisher product of Oracle Fusion Middleware (component: Web Service     API (Spring Framework)). This vulnerability cannot be exploited in the context of this product.
    (CVE-2022-22965)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The versions of Primavera Gateway installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2022 CPU advisory.

  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component:
    Admin (jackson-databind)). Supported versions that are affected are 17.12.0-17.12.11, 18.8.0-18.8.14,     19.12.0-19.12.13, 20.12.0-20.12.8 and 21.12.0-21.12.1. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP to compromise Primavera Gateway. Successful attacks     of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash     (complete DOS) of Primavera Gateway. (CVE-2020-36518)

  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component:
    Admin (Apache Xerces-J)). Supported versions that are affected are 17.12.0-17.12.11, 18.8.0-18.8.14,     19.12.0-19.12.13 and 20.12.0-20.12.8. Easily exploitable vulnerability allows unauthenticated attacker     with network access via HTTP to compromise Primavera Gateway. Successful attacks require human interaction     from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash (complete DOS) of Primavera Gateway.
    (CVE-2022-23437)

  - Security-in-Depth issue in the Primavera Gateway product of Oracle Construction and Engineering     (component: Admin (Spring Framework)). This vulnerability cannot be exploited in the context of this     product. (CVE-2022-22965)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle WebLogic Server installed on the remote host is missing a security patch from the July 2022 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities, including:

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Third Party     Tools, Samples (Spring Framework)). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and     14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of     Oracle WebLogic Server. (CVE-2022-22965)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized     Third Party Jars (OWASP Enterprise Security API)). Supported versions that are affected are 12.2.1.3.0,     12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network     access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result     in takeover of Oracle WebLogic Server. (CVE-2022-23457)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized     Third Party Jars (Apache Maven)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0.
    Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized     creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data     as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server     accessible data. (CVE-2021-26291)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Dell Wyse Management Suite installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the DSA-2022-098 advisory.

  - The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop     forever for non-prime moduli. Internally this function is used when parsing certificates that contain     elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point     encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has     invalid explicit curve parameters. Since certificate parsing happens prior to verification of the     certificate signature, any process that parses an externally supplied certificate may thus be subject to a     denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they     can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients     consuming server certificates - TLS servers consuming client certificates - Hosting providers taking     certificates or private keys from customers - Certificate authorities parsing certification requests from     subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that     use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS     issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate     which makes it slightly harder to trigger the infinite loop. However any operation which requires the     public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-     signed certificate to trigger the loop during verification of the certificate signature. This issue     affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the     15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected     1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). (CVE-2022-0778)

  - A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution     (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR     deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not     vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be     other ways to exploit it. (CVE-2022-22965)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of MySQL Enterprise Monitor installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2022 CPU advisory.

  - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General     (Apache Log4j)). Supported versions that are affected are 8.0.29 and prior. Easily exploitable     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in takeover of MySQL     Enterprise Monitor. (CVE-2022-23305)

  - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General     (Spring Framework)). Supported versions that are affected are 8.0.29 and prior. Easily exploitable     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in takeover of MySQL     Enterprise Monitor. (CVE-2022-22965)

  - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General     (Apache Tomcat)). Supported versions that are affected are 8.0.29 and prior. Easily exploitable     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in unauthorized ability to     cause a hang or frequently repeatable crash (complete DOS) of MySQL Enterprise Monitor. (CVE-2021-42340)

  - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General     (Spring Framework)). Supported versions that are affected are 8.0.29 and prior. The patterns for     disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is     listed with both upper and lower case for the first character of the field, including upper and lower case for the      first character of all nested fields within the property path. (CVE-2022-22968)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host contains a Spring Framework library version that is prior to 5.2.20 or 5.3.x prior to 5.3.18. It is, therefore, affected by a remote code execution vulnerability:
  - A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via     data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application     is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the     nature of the vulnerability is more general, and there may be other ways to exploit it.
  - These are the prerequisites for the exploit:
    - JDK 9 or higher
    - Apache Tomcat as the Servlet container
    - Packaged as WAR
    - spring-webmvc or spring-webflux dependency

The remote host contains a Spring Framework library version that is prior to 5.2.20 or 5.3.x prior to 5.3.18. It is, therefore, affected by a remote code execution vulnerability:

  - A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via     data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application     is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the     nature of the vulnerability is more general, and there may be other ways to exploit it.

  - These are the prerequisites for the exploit:
    - JDK 9 or higher
    - Apache Tomcat as the Servlet container
    - Packaged as WAR
    - spring-webmvc or spring-webflux dependency

Note that users are required to enable the 'Show potential false alarms' setting, also known as paranoid mode, in their scan policy in order to enable this plugin in a scan. In addition, the 'Perform thorough tests' setting must be enabled as well.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Spring MVC and Spring WebFlux applications, when packaged as a traditional WAR file, running on JDK version 9 and higher in an Apache Tomcat servlet container and exposing one or more endpoints with DataBinder enabled, suffer from a Remote Code Execution (RCE) vulnerability.

By crafting a specific HTTP request, an attacker could leverage the vulnerability to compromise the target by, for example, hosting a web shell on the target application.

ID	Name	Product	Family	Severity
182056	Amazon Linux 2 : tomcat (ALASTOMCAT9-2023-004)	Nessus	Amazon Linux Local Security Checks	critical
181988	Amazon Linux 2 : tomcat (ALASTOMCAT8.5-2023-005)	Nessus	Amazon Linux Local Security Checks	critical
164159	Oracle Business Intelligence Publisher (OAS) (Jul 2022 CPU)	Nessus	Misc.	critical
163328	Oracle Primavera Gateway (Jul 2022 CPU)	Nessus	CGI abuses	critical
163298	Oracle WebLogic Server (Jul 2022 CPU)	Nessus	Misc.	critical
161952	Dell Wyse Management Suite < 3.6.1 Multiple Vulnerabilities (DSA-2022-098)	Nessus	Windows	critical
159917	Oracle MySQL Enterprise Monitor (Apr 2022 CPU)	Nessus	CGI abuses	critical
159542	Spring Framework Spring4Shell (CVE-2022-22965)	Nessus	CGI abuses	critical
159374	Spring Framework < 5.2.20 / 5.3.x < 5.3.18 Remote Code Execution (CVE-2022-22965)	Nessus	Misc.	critical
113217	Spring Framework < 5.2.20 / 5.3.x < 5.3.18 Remote Code Execution (Spring4Shell)	Web App Scanning	Component Vulnerability	critical

Detections

Analytics

CVE-2022-22965

critical

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical