Description
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CVE ID
Affected Products
Under investigation. Affected products will be promptly added as each investigation is completed.
| Product Family |
Affected Versions |
Severity |
Notes |
| ACI-E |
All |
Critical |
N/A |
Unaffected Products
| Product Family |
Products |
| ADTRAN OS IP Business Gateways, Routers, & Switches |
- NetVanta 1200 Series
- NetVanta 1530 Series
- NetVanta 1540 Series
- NetVanta 1550 Series
- NetVanta 1600 Series
- NetVanta 3000 Series
- NetVanta 4000 Series
- NetVanta 5000 Series
- NetVanta 6000 Series
- Total Access 900/900e Series
|
| Carrier Ethernet NIDs |
- NetVanta 800 Series
- NetVanta 8000 Series
|
| EPON OLTs |
- 9500 Series
- FSU 7000 Series
- SDX 6210-4
|
| EPON ONUs |
- 1004
- 6304W
- 8001A
- 8001B
- FSU Series
|
| Ethernet Service Delivery Gateways & Mesh APs (PlumeOS) |
All products |
| Ethernet Service Delivery Gateways & Mesh APs (SmartOS) |
All products |
| GPON, XGS-PON, & Active Ethernet ONUs |
- 300 Series (all generations)
- 400 Series
- SDX 600 Series
|
| GPON & XGS-PON Service Delivery Gateways |
- SDG 814-v6
- SDG 825-v6
- SDX 822v
|
| hiX |
All products |
| Mosaic Cloud Platform |
All products |
| Mosaic Cloud Platform Plugins |
All products |
| Mosaic Device Manager |
All products |
| n-Command MSP |
All products |
| OPTI Series |
All products |
| SDX 6000 Series OLTs |
- SDX 6010-16
- SDX 6020-48
- SDX 6310-16
- SDX 6320-16
|
| SDX 8000 Series Aggregation Switches |
All products |
| SmartRG Ethernet Residential Gateways & Mesh APs |
- SE80ac
- SR400ac
- SR905ac
- SR905acv
|
| SmartRG VDSL2 Residential Gateways |
|
| Total Access 1100 & 1200 Series |
All products |
| Total Access 5000 |
All products |
Mitigating Factors & Recommended Mitigations
| Product Family |
Mitigating Factors |
Recommended Mitigations |
| ACI-E |
N/A |
N/A |
Resolution
| Product Family |
Resolution |
| ACI-E |
An update is under development to mitigate the vulnerability. |
Revision History
| Revision |
Date |
Changes |
| C |
2022-04-07 |
Update the affected versions and resolution for ACI-E. |
| B |
2022-04-06 |
Added ACI-E, hiX, Mosaic Cloud Platform, Mosaic Device Manager, and n-Command MSP. Updated Ethernet Service Delivery Gateways & Mesh APs (PlumeOS), Ethernet Service Delivery Gateways & Mesh APs (SmartOS), and Mosaic Cloud Platform Plugins. |
| A |
2022-04-01 |
Initial release. |
