Publication Date: June 2nd, 2022
According to the information published on https://tanzu.vmware.com/security/cve-2022-22965, the exploit for CVE-2022-22965 impacts systems with all of the following characteristics:
JDK 9 or higher
Apache Tomcat as the Servlet container
Packaged as WAR
spring-webmvc or spring-webflux dependency
On-premise customers who are concerned about possible exposure to this vulnerability can mitigate the issue by using JDK 8 and/or Apache Tomcat 9.0.62+, which contains a fix to harden the class-loader to mitigate this exploit. Out of an abundance of caution, we will release patches to update to a fixed version of Spring for both CVE-2022-22965 and CVE-2022-22963 as per the following table.
Product | Version | Impact | Comments |
---|---|---|---|
ESB Runtime | 8.0 | Yes | 8.0.1-R2022-04 (22-APR-22) |
7.3 | Yes | 7.3.1-R2022-04 (12-APR-22) | |
7.2 | Yes | TPS-5231-RT (02-MAY-22) |
|
All other versions |
Not impacted | Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. CVE-2022-22963 is not applicable to ESB Runtime. |
|
IAM | 8.0 | Yes | TPS-5180 (12-APR-22) |
7.3 | Yes | TPS-5177 (12-APR-22) |
|
7.2 | Yes | TPS-5178 (12-APR-22) |
|
All other versions |
Not impacted | Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. CVE-2022-22963 is not applicable to IAM. |
|
MDM | 8.0 | Yes | TPS-5155 (11-APR-22) |
7.3 | Yes | TPS-5154 (08-APR-22) |
|
7.2 | Yes | TPS-5193 (15-APR-22) |
|
All other versions |
Not impacted | Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. CVE-2022-22963 is not applicable to MDM. |
|
Talend Studio |
8.0 |
Yes |
Studio installation. ESB, Big Data, DI (tDQReportRun), microservices to be rebuilt - R2022-03v2 (15-APR-22) |
7.3 |
Yes |
Studio installation. ESB, Big Data, DI (tDQReportRun), microservices to be rebuilt - R2022-04 (14-APR-22) |
|
7.2 |
Yes |
Studio installation. ESB, Big Data, DI (tDQReportRun), microservices to be rebuilt - TPS-5140 (06-MAY-22). |
|
All other versions |
Not impacted | Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. CVE-2022-22963 is not applicable to Studio. |
|
Talend Cloud Applications | All | Yes | As of April 1, we implemented blocking of external exploitation attempts on Talend Cloud Products for these CVEs. However, we will also update any Talend Cloud application that has a dependency on Spring. No impact for customers. |
Remote Engine Gen1 |
All |
Not impacted |
CVE-2022-22963 is not applicable to the RE Gen 1. Spring beans are not exposed in the RE Gen 1, so CVE-2022-22965 doesn’t apply. However, we updated Spring to a fixed version in Talend Remote Engine v2.12.0. |
Remote Engine Gen1 (Marketplace) |
All |
Not impacted |
CVE-2022-22963 is not applicable to the RE Gen 1. Spring beans are not exposed in the RE Gen 1, so CVE-2022-22965 doesn’t apply. However, we updated Spring to a fixed version in Talend Remote Engine v2.12.0, which is available in the AWS Marketplace (26-MAY-22) and Azure Marketplace (31-MAY-22). |
Remote Engine Gen2 |
All |
Yes |
The Remote Engine Gen 2 was updated in the R2022-05 release (a re-start might be required to download the updated image). |
Talend Data Preparation | 8.0 | Yes | TPS-5166 (29-APR-22) |
7.3.1 | Partial | CVE-2022-22963 does not apply to Data Preparation. However we will issue a patch to delete the affected jar – TPS-5165 (29-APR-22). The core Spring framework version will not be updated for 7.3. Instead we recommend to customers to use JDK8 to mitigate the issue. |
|
7.2.1 | Partial |
CVE-2022-22963 does not apply to Data Preparation - the Spring Cloud Function Context jar can be safely deleted. The core Spring framework version will not be updated for 7.2. Instead we recommend to customers to use JDK8 to mitigate the issue. |
|
All other versions |
Not impacted | CVE-2022-22963 does not apply to Data Preparation - the Spring Cloud Function Context jar can be safely deleted. Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. |
|
Talend Data Stewardship | 8.0 | Yes | TPS-5190 (06-MAY-22) |
7.3.1 | Partial | CVE-2022-22963 does not apply to Data Stewardship. However we will issue a patch to delete the affected jar - TPS-5195 (13-MAY-22). The core Spring framework version will not be updated for 7.3. Instead we recommend to customers to use JDK8 to mitigate the issue. |
|
7.2.1 | Partial |
CVE-2022-22963 does not apply to Data Stewardship - the Spring Cloud Function Context jar can be safely deleted. The core Spring framework version will not be updated for 7.2. Instead we recommend to customers to use JDK8 to mitigate the issue. |
|
All other versions |
Not impacted | CVE-2022-22963 does not apply to Data Stewardship - the Spring Cloud Function Context jar can be safely deleted. Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. |
|
Talend Dictionary Service |
8.0 |
Yes |
TPS-5211 (04-MAY-22) |
7.3.1 |
Partial |
CVE-2022-22963 does not apply to Dictionary Service - the Spring Cloud Function Context jar can be safely deleted. The core Spring framework version will not be updated for 7.3. Instead we recommend to customers to use JDK8 to mitigate the issue. |
|
7.2.1 |
Partial |
CVE-2022-22963 does not apply to Dictionary Service - the Spring Cloud Function Context jar can be safely deleted. The core Spring framework version will not be updated for 7.2. Instead we recommend to customers to use JDK8 to mitigate the issue. |
|
All other versions |
Not impacted |
CVE-2022-22963 does not apply to Dictionary Service - the Spring Cloud Function Context jar can be safely deleted. Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. |
|
Talend SAP RFC Server |
8.0 |
Yes |
TPS-5183 (15-APR-22) |
7.3.1 |
Yes |
TPS-5182 (15-APR-22) |
|
7.2.1 |
Yes |
TPS-5191 (15-APR-22) |
|
All other versions |
Not impacted |
||
|
All versions |
Not impacted |