A safety alert issued with VMware Tanzu Spring Framework has obtained an replace from BSI. You can learn the outline of the safety hole together with the most recent updates and details about the affected Linux and Windows working programs and merchandise right here.
Federal workplace for Security in Information Technology (BSI) issued an replace on May 23, 2024 concerning a safety vulnerability in VMware Tanzu Spring Framework identified on February 21, 2024. The safety vulnerability impacts Linux and Windows working programs and Red Hat Enterprise merchandise Linux, VMware Tanzu Spring Framework and Atlassian Bamboo.
The newest producer suggestions for updates, workarounds and safety patches for this vulnerability may be discovered right here: Red Hat Security Advisory RHSA-2024:3354 (From 24 May 2024). Some helpful assets are listed later on this article.
VMware Tanzu Spring Framework Security Advisory – Risk: Moderate
Risk degree: 3 (average)
CVSS Base Score: 7.2
CVSS provisional rating: 6.3
Remote management: Ja
The Common Vulnerability Scoring System (CVSS) is used to evaluate the severity of safety vulnerabilities in pc programs. The CVSS customary makes it attainable to check potential or precise safety dangers based mostly on numerous metrics to be able to prioritize countermeasures. The attributes “none”, “low”, “medium”, “excessive” and “extreme” are used to find out the severity ranges of the vulnerability. The Base Score evaluates the necessities of an assault (together with authentication, complexity, privileges, person interplay) and its outcomes. For momentary impact, body situations which will change over time are thought-about within the check. The severity of the present vulnerability is classed as “average” in response to the CVSS with a base rating of seven.2.
VMware Tanzu Spring Framework Bug: Vulnerability permits info disclosure
The Spring Framework gives a Java improvement mannequin with application-level infrastructure help.
A distant, unknown attacker might exploit a vulnerability within the VMware Tanzu Spring Framework to show info or conduct a phishing assault.
Vulnerabilities are recognized by a novel CVE (Common Vulnerabilities and Exposures) serial quantity. CVE-2024-22243 on the market.
Systems affected by the safety hole at a look
Operating programs
Linux, Windows
Products
Red Hat Enterprise Linux (cpe:/o:redhat:enterprise_linux)
VMware Tanzu Spring Framework VMware Tanzu Spring Framework VMware Tanzu Spring Framework Atlassian Bamboo Atlassian Bamboo Atlassian Bamboo
General steps for coping with IT vulnerabilities
- Users of the affected apps ought to keep up-to-date. When safety holes are identified, producers are required to repair them shortly by creating a patch or workaround. When new safety updates can be found, set up them instantly.
- For info, see the sources listed within the subsequent part. This typically comprises further details about the most recent model of the software program in query and the provision of safety patches or efficiency ideas.
- If you might have any additional questions or uncertainties, please contact your accountable administrator. IT safety managers ought to examine each time a producing firm makes a brand new safety replace obtainable.
Manufacturer details about updates, patches and workarounds
Here you can see some hyperlinks with details about bug reviews, safety fixes and workarounds.
Red Hat Security Advisory RHSA-2024:3354 vom 2024-05-24 (23.05.2024)
For extra info, see:
IBM Security Bulletin 7153639 vom 2024-05-17 (16.05.2024)
For extra info, see:
Atlassian Security Bulletin (16.04.2024)
For extra info, see:
Spring Safety Advisory vom 2024-02-21 (21.02.2024)
For extra info, see:
Version historical past of this safety alert
This is model 4 of this IT safety advisory for VMware Tanzu Spring Framework. If additional updates are introduced, this doc will probably be up to date. You can see the modifications made utilizing the model historical past under.
February 21, 2024 – First model
April 16, 2024 – New updates added
May 16, 2024 – New updates from IBM added
05/23/2024 – New updates from Red Hat have been added
+++ Editorial notice: This doc relies on present BSI information and will probably be up to date in a data-driven method relying on the standing of the alert. We welcome suggestions and feedback at [email protected]. +++
comply with News.de you’re right here Facebook, Twitter, Pinterest once more YouTube? Here you can see sizzling information, present movies and a direct line to the editorial crew.
kns/roj/information.de