Security Bulletin Update - Spring Framework Vulnerability CVE-2022-22965
This is an update of Idera's review of the Spring Framework Vulnerability (CVE-2022-22965).
The Spring Framework vulnerability enables remote code execution (RCE), and the Java applications impacted employ versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions of the Spring framework and version 9 or higher of the Java Development Kit (JDK)
- The vulnerability allows an attacker to remotely execute arbitrary code on the target server
- Idera does in places use the Spring Framework, but largely does not use JDK 9+, so it is generally not impacted by this vulnerability
Idera has completed its review / investigation on all family of products. The status of products is the following.
The following products are not impacted as they do NOT use Spring Framework at all:
- APILayer, Assembla, BitTitan, Embarcadero Interbase, Embarcadero RAD Studio / Delphi / C++Builder, Filestack, Froala, FusionCharts, Idera SQL, Idera Aqua Data Studio, Idera DB PowerStudio, LANSA, PreEmptive, Precise, Qubole, Ranorex, Sencha, TestRail, Travis CI, UltraEdit, Uptime, Webyog, WhereScape RED, Whole Tomato
The following products DO use Spring Framework but are NOT affected due to we only use JDK 8 servlets
- Perspectium, Kiuwan, WhereScape 3D, Xblend, Embarcadero Enterprise License Center
The following products are impacted by CVE-2022-22965
- A patch has been produced that upgrades the product to a non-impacted version of Spring Framework. Contact Yellowfin support or review this page for more information: https://community.yellowfinbi.com/knowledge-base/article/yellowfin-and-the-springshell-vulnerability
- Idera ER/Studio Team Server
- Note that ER/Studio customers who are not using Team Server are NOT impacted by this. Further note that most customers run ER/Studio Team Server behind a firewall.
- While Idera develops a patch for ER/Studio, we will have a process to update the installation to address this CVE very soon. Idera support will publish more details about the patch and the update as soon as they are available.
Although our initial and thorough investigation has concluded, Idera continues to monitor for potential issues, we will continue actively to monitor this situation and communicate with stakeholders as appropriate.
If you have any questions or concerns please contact us.
Idera Security and Compliance Team.