The vulnerability described by CVE-2022-22965 is a vulnerability in the Spring Framework library. Spring Framework insecurely handles certain types of requests which may allow an attacker to execute arbitrary code (remote code execution, or “RCE”) within affected applications. At the time of this writing, the requirements for this vulnerability as it pertains to the Variphy application are as follows:
- Applications running on Java 9 or higher
- Applications deployed within Apache Tomcat versions prior to 8.5.78
- Applications packaged as a traditional WAR
- Applications utilizing the spring-webmvc dependency
- Applications utilizing Spring Framework versions 5.3.0 to 5.3.17
- Applications using data binding for web controller method parameters
Are On-Premises Variphy Applications affected?
The Variphy Information Security Team has investigated the vulnerability, and at this time, Variphy does not believe 12.4.2 on-premises Variphy applications are vulnerable to exploitation by CVE-2022-22965.
Are Variphy Cloud Applications affected?
The Variphy Information Security Team has investigated the vulnerability, and at this time, Variphy does not believe Variphy Cloud applications are vulnerable to exploitation by CVE-2022-22965.
How can I mitigate this vulnerability?
The Variphy Product Development Team is currently developing a 12.4.3 release of the Variphy application, targeted for release on 4/14/2022, that will mitigate the vulnerability in the following ways:
- Upgrading Apache Tomcat to 8.5.78
- Upgrading Spring Framework to 5.3.18
Our upgrade doesn’t suggest we’re vulnerable to this CVE. It is only part of our continuous effort to improve our solution.
To ensure additional precautions, we recommend placing the Variphy server behind a secured firewall. You can restrict port usage to the following:
- Web Server (HTTP): TCP Port 8080
- Web Server (HTTPS): Port 8443
- H2 Database: Port 9001
- Tomcat Shutdown: Port 8005
- CUCM/UCCX/CUC AXL: 8443
- MySQL: 3306
- MSSQL: 1433
More information pertaining to Variphy server and network requirements here.