Spring4Shell Issue (CVE-2022-22965; CVE-2022-22963)

Publication Date: June 2nd, 2022

According to the information published on https://tanzu.vmware.com/security/cve-2022-22965, the exploit for CVE-2022-22965 impacts systems with all of the following characteristics:

JDK 9 or higher
Apache Tomcat as the Servlet container
Packaged as WAR
spring-webmvc or spring-webflux dependency

On-premise customers who are concerned about possible exposure to this vulnerability can mitigate the issue by using JDK 8 and/or Apache Tomcat 9.0.62+, which contains a fix to harden the class-loader to mitigate this exploit. Out of an abundance of caution, we will release patches to update to a fixed version of Spring for both CVE-2022-22965 and CVE-2022-22963 as per the following table.

Product	Version	Impact	Comments
ESB Runtime	8.0	Yes	8.0.1-R2022-04 (22-APR-22)
	7.3	Yes	7.3.1-R2022-04 (12-APR-22)
	7.2	Yes	TPS-5231-RT (02-MAY-22)
	All other versions	Not impacted	Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. CVE-2022-22963 is not applicable to ESB Runtime.
IAM	8.0	Yes	TPS-5180 (12-APR-22)
	7.3	Yes	TPS-5177 (12-APR-22)
	7.2	Yes	TPS-5178 (12-APR-22)
	All other versions	Not impacted	Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. CVE-2022-22963 is not applicable to IAM.
MDM	8.0	Yes	TPS-5155 (11-APR-22)
	7.3	Yes	TPS-5154 (08-APR-22)
	7.2	Yes	TPS-5193 (15-APR-22)
	All other versions	Not impacted	Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. CVE-2022-22963 is not applicable to MDM.
Talend Studio	8.0	Yes	Studio installation. ESB, Big Data, DI (tDQReportRun), microservices to be rebuilt - R2022-03v2 (15-APR-22)
	7.3	Yes	Studio installation. ESB, Big Data, DI (tDQReportRun), microservices to be rebuilt - R2022-04 (14-APR-22)
	7.2	Yes	Studio installation. ESB, Big Data, DI (tDQReportRun), microservices to be rebuilt - TPS-5140 (06-MAY-22).
	All other versions	Not impacted	Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. CVE-2022-22963 is not applicable to Studio.
Talend Cloud Applications	All	Yes	As of April 1, we implemented blocking of external exploitation attempts on Talend Cloud Products for these CVEs. However, we will also update any Talend Cloud application that has a dependency on Spring. No impact for customers.
Remote Engine Gen1	All	Not impacted	CVE-2022-22963 is not applicable to the RE Gen 1. Spring beans are not exposed in the RE Gen 1, so CVE-2022-22965 doesn’t apply. However, we updated Spring to a fixed version in Talend Remote Engine v2.12.0.
Remote Engine Gen1 (Marketplace)	All	Not impacted	CVE-2022-22963 is not applicable to the RE Gen 1. Spring beans are not exposed in the RE Gen 1, so CVE-2022-22965 doesn’t apply. However, we updated Spring to a fixed version in Talend Remote Engine v2.12.0, which is available in the AWS Marketplace (26-MAY-22) and Azure Marketplace (31-MAY-22).
Remote Engine Gen2	All	Yes	The Remote Engine Gen 2 was updated in the R2022-05 release (a re-start might be required to download the updated image).
Talend Data Preparation	8.0	Yes	TPS-5166 (29-APR-22)
	7.3.1	Partial	CVE-2022-22963 does not apply to Data Preparation. However we will issue a patch to delete the affected jar – TPS-5165 (29-APR-22). The core Spring framework version will not be updated for 7.3. Instead we recommend to customers to use JDK8 to mitigate the issue.
	7.2.1	Partial	CVE-2022-22963 does not apply to Data Preparation - the Spring Cloud Function Context jar can be safely deleted. The core Spring framework version will not be updated for 7.2. Instead we recommend to customers to use JDK8 to mitigate the issue.
	All other versions	Not impacted	CVE-2022-22963 does not apply to Data Preparation - the Spring Cloud Function Context jar can be safely deleted. Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable.
Talend Data Stewardship	8.0	Yes	TPS-5190 (06-MAY-22)
	7.3.1	Partial	CVE-2022-22963 does not apply to Data Stewardship. However we will issue a patch to delete the affected jar - TPS-5195 (13-MAY-22). The core Spring framework version will not be updated for 7.3. Instead we recommend to customers to use JDK8 to mitigate the issue.
	7.2.1	Partial	CVE-2022-22963 does not apply to Data Stewardship - the Spring Cloud Function Context jar can be safely deleted. The core Spring framework version will not be updated for 7.2. Instead we recommend to customers to use JDK8 to mitigate the issue.
	All other versions	Not impacted	CVE-2022-22963 does not apply to Data Stewardship - the Spring Cloud Function Context jar can be safely deleted. Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable.
Talend Dictionary Service	8.0	Yes	TPS-5211 (04-MAY-22)
	7.3.1	Partial	CVE-2022-22963 does not apply to Dictionary Service - the Spring Cloud Function Context jar can be safely deleted. The core Spring framework version will not be updated for 7.3. Instead we recommend to customers to use JDK8 to mitigate the issue.
	7.2.1	Partial	CVE-2022-22963 does not apply to Dictionary Service - the Spring Cloud Function Context jar can be safely deleted. The core Spring framework version will not be updated for 7.2. Instead we recommend to customers to use JDK8 to mitigate the issue.
	All other versions	Not impacted	CVE-2022-22963 does not apply to Dictionary Service - the Spring Cloud Function Context jar can be safely deleted. Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable.
Talend SAP RFC Server	8.0	Yes	TPS-5183 (15-APR-22)
	7.3.1	Yes	TPS-5182 (15-APR-22)
	7.2.1	Yes	TPS-5191 (15-APR-22)
	All other versions	Not impacted
Talend Administration Center JobServer LogServer Stitch Data Loader Talend Data Catalog	All versions	Not impacted