CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9 - Spring4Shell
Overview
CVE CVE-2022-22965, CVE-2022-22963
CWE CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSS v3.x 9.8 - Critical
In this article we would like to inform you about the vulnerability in the Spring Framework (also known as Spring4Shell), which provides a comprehensive programming and configuration model for modern Java-based enterprise applications and its use in Matrix42 products.
Matrix42 products affected by the Spring Framework vulnerability
The Spring Framework is used only in the following products and all other Matrix42 products are not affected.
| Component | Matrix42 Risk evaluation | Required Actions/Recommendations | Note | Fixed Version | Mitigation |
|
FireScope |
Risk-free |
None |
Product not impacted |
N/A |
N/A |
Next Steps
Matrix42 will continue to provide updates as necessary in this document.
Updates
Update 1 (2022-04-08):
The Spring Cloud Function vulnerability CVE-2022-22963 does not affect any Matrix42 products. The Spring Framework vulnerability CVE-2022-22965 for FastViewer and Empirum Web Console (EWC) is still under investigation.
Update 2 (2022-04-11):
FastViewer does not use the Spring Framework or Spring Cloud Function and is therefore not affected by the vulnerability CVE-2022-22965 and CVE-2022-22963.
Update 3 (2022-04-12):
Empirum Web Console (EWC) does not use the Spring Framework or Spring Cloud Function and is therefore not affected by the vulnerability CVE-2022-22965 and CVE-2022-22963.
Change log
| Date | Description of change |
| 2022-04-01 | Initial publication |
| 2022-04-08 | Update 1 - CVE-2022-22963 (Spring Cloud Function) does not affect any Matrix42 product. CVE-2022-22965 (Spring Framework) under investigation. |
| 2022-04-11 | Update 2 - FastViewer not affected. |
| 2022-04-12 | Update 3 - Empirum Web Console (EWC) not affected. |