CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9 - Spring4Shell
Table of Contents
Overview
CVE CVE-2022-22965, CVE-2022-22963
CWE CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSS v3.x 9.8 - Critical
In this article we would like to inform you about the vulnerability in the Spring Framework (also known as Spring4Shell), which provides a comprehensive programming and configuration model for modern Java-based enterprise applications and its use in Matrix42 products.
Matrix42 products affected by the Spring Framework vulnerability
The Spring Framework is used only in the following products and all other Matrix42 products are not affected.
| Component | Matrix42 Risk evaluation | Required Actions/Recommendations | Note | Fixed Version | Mitigation |
| Fire Scope | Risk-free | None | Product not impacted | N/A | N/A |
Next Steps
Matrix42 will continue to provide updates as necessary in this document.
Updates
Update 1 (2022-04-08):
The Spring Cloud Function vulnerability CVE-2022-22963 does not affect any Matrix42 products. The Spring Framework vulnerability CVE-2022-22965 for Fast Viewer and Empirum Web Console (EWC) is still under investigation.
Update 2 (2022-04-11):
Fast Viewer does not use the Spring Framework or Spring Cloud Function and is therefore not affected by the vulnerability CVE-2022-22965 and CVE-2022-22963.
Update 3 (2022-04-12):
Empirum Web Console (EWC) does not use the Spring Framework or Spring Cloud Function and is therefore not affected by the vulnerability CVE-2022-22965 and CVE-2022-22963.
Change log
| Date | Description of change |
| 2022-04-01 | Initial publication |
| 2022-04-08 | Update 1 - CVE-2022-22963 (Spring Cloud Function) does not affect any Matrix42 product. CVE-2022-22965 (Spring Framework) under investigation. |
| 2022-04-11 | Update 2 - Fast Viewer not affected. |
| 2022-04-12 | Update 3 - Empirum Web Console (EWC) not affected. |