3171058 - CVE-2022-22965 - AS Java Core Components' impact for Spring Core Remote Code Execution vulnerability

Symptom

You are curious whether your SAP NetWeaver Application Server Java system is affected by spring core remote code execution vulnerability exploited In the wild (SpringShell). See documentation: CVE-2022-22965.

Vulnerability CVE-2022-22965
How does this impact SAP Netweaver Application Server Java Core Components
The AS Java Core Software Components are documented in KBA 1794179 Importing AS Java Core patches for NetWeaver 7.1 or higher

Environment

Affected Software and Versions / Existing proofs of concept (PoCs) for exploitation work under the following conditions:

JDK 9 or higher
Apache Tomcat as the Servlet container
Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
spring-webmvc or spring-webflux dependency
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions

Product

SAP NetWeaver Application Server for Java all versions

Keywords

KBA , BC-JAS-COR , Enterprise Runtime, Core J2EE Framework , BC-JAS-SEC , Security, User Management , BC-JVM , SAP Java Virtual Machine , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.