VMware has released security updates to fix the critical remote code execution (RCE) flaw known as Spring4Shell.
The bug affects several of the company’s cloud computing and virtualisation products.
The bug, which is tracked as CVE-2022-22965, was found in the Spring Core Java framework and can be exploited without authentication.
The vulnerability has a severity of 9.8 out of 10. This means that it could be used by any malicious actor to gain access to vulnerable applications.
It can then be used to execute arbitrary commands and take complete control of a target system.
Affected products include VMware Tanzu Application Service for VMs (versions 2.10 to 2.13), VMware Tanzu Operations Manager (versions 2.8 to 2.9), and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) versions 1.11 to 1.13.
Security updates are available for the first two products that cover multiple release branches with point releases, but a permanent fix for VMware Tanzu Kubernetes Grid Integrated Edition is still in the works.
For products without a permanent solution, VMware has provided a workaround that allows users to bypass the bug.
For more, read the original story in BleepingComputer.
