Publication Date: April 6th, 2022
Important: For more recent security updates, see the Trust Center Updates section on Talend Security Portal. Subscribe to the Trust Center Updates to be notified by email when a security update is published.
According to the information published on https://tanzu.vmware.com/security/cve-2022-22965, the exploit for CVE-2022-22965 impacts systems with all of the following characteristics:
JDK 9 or higher
Apache Tomcat as the Servlet container
Packaged as WAR
spring-webmvc or spring-webflux dependency
On-premise customers who are concerned about possible exposure to this vulnerability can mitigate the issue by using JDK 8 and/or Apache Tomcat 9.0.62+, which contains a fix to harden the class-loader to mitigate this exploit. Out of an abundance of caution, we will release patches to update to a fixed version of Spring for both CVE-2022-22965 and CVE-2022-22963 as per the following table.
| Product | Version | Impact | Comments |
|---|---|---|---|
| ESB Runtime | 8.0 | Yes | Will be patched in 8.0.1-R2022-04 monthly release |
| 7.3 | Yes | Will be patched in 7.3.1-R2022-04 monthly release | |
| 7.2 | Yes | Patch information pending | |
| All other versions | Not impacted | Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. CVE-2022-22963 is not applicable to ESB Runtime. | |
| IAM | 8.0 | Yes | Patch information pending |
| 7.3 | Yes | Patch information pending | |
| 7.2 | Yes | Patch information pending | |
| All other versions | Not impacted | Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. CVE-2022-22963 is not applicable to IAM. | |
| MDM | 8.0 | Yes | Patch will be available on 11-APR-22 |
| 7.3 | Yes | Patch will be available on 08-APR-22 | |
| 7.2 | TBC | ||
| All other versions | TBC | ||
| Talend Studio | 8.0 | Yes | ESB, Big Data, DI (tDQReportRun), microservices to be rebuilt - R2022-04 (no date yet) |
| 7.3 | Yes | ESB, Big Data, DI (tDQReportRun), microservices to be rebuilt - R2022-04 (no date yet) | |
| 7.2 | Yes | ESB, microservices to be rebuilt - Patch information pending | |
| All other versions | Not impacted | Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. CVE-2022-22963 is not applicable to Studio. | |
| Talend Cloud Applications | All | Yes | As of April 1, we implemented blocking of external exploitation attempts on Talend Cloud Products for these CVEs. However, we will also update any Talend Cloud application that has a dependency on Spring. No impact for customers. |
| Remote Engine Gen1 | All | Yes | Patch information pending |
Remote Engine Gen1 (Marketplace) |
All | Yes | Patch information pending |
| Remote Engine Gen2 | All | Yes | Patch information pending |
| Talend Data Preparation | 8.0 | Yes | Patch information pending |
| 7.3.1 | Yes | Patch information pending | |
| 7.2.1 | TBC | ||
| All other versions | TBC | ||
| Talend Data Stewardship | 8.0 | Yes | Patch information pending |
| 7.3.1 | Yes | Patch information pending | |
| 7.2.1 | TBC | ||
| All other versions | TBC | ||
| Talend SAP RFC Server | 8.0 | Yes | Patch information pending |
| 7.3.1 | Yes | Patch information pending | |
| 7.2.1 | TBC | ||
| All other versions | Not impacted | ||
|
All versions | Not impacted |