Spring4Shell Issue (CVE-2022-22965; CVE-2022-22963)

Spring4Shell Disclosure - CVE-2022-22965

Language
English (United States)

Publication Date: June 2nd, 2022

According to the information published on https://tanzu.vmware.com/security/cve-2022-22965, the exploit for CVE-2022-22965 impacts systems with all of the following characteristics:

  • JDK 9 or higher

  • Apache Tomcat as the Servlet container

  • Packaged as WAR

  • spring-webmvc or spring-webflux dependency

On-premise customers who are concerned about possible exposure to this vulnerability can mitigate the issue by using JDK 8 and/or Apache Tomcat 9.0.62+, which contains a fix to harden the class-loader to mitigate this exploit. Out of an abundance of caution, we will release patches to update to a fixed version of Spring for both CVE-2022-22965 and CVE-2022-22963 as per the following table.

Product Version Impact Comments
ESB Runtime 8.0 Yes 8.0.1-R2022-04 (22-APR-22)
7.3 Yes 7.3.1-R2022-04 (12-APR-22)
7.2 Yes

TPS-5231-RT (02-MAY-22)

All other versions

Not impacted

Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. CVE-2022-22963 is not applicable to ESB Runtime.

IAM 8.0 Yes

TPS-5180 (12-APR-22)

7.3 Yes

TPS-5177 (12-APR-22)

7.2 Yes

TPS-5178 (12-APR-22)

All other versions

Not impacted

Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. CVE-2022-22963 is not applicable to IAM.

MDM 8.0 Yes

TPS-5155 (11-APR-22)

7.3 Yes

TPS-5154 (08-APR-22)

7.2 Yes

TPS-5193 (15-APR-22)

All other versions

Not impacted

Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. CVE-2022-22963 is not applicable to MDM.

Talend Studio

8.0

Yes

Studio installation. ESB, Big Data, DI (tDQReportRun), microservices to be rebuilt - R2022-03v2 (15-APR-22)

7.3

Yes

Studio installation. ESB, Big Data, DI (tDQReportRun), microservices to be rebuilt - R2022-04 (14-APR-22)

7.2

Yes

Studio installation. ESB, Big Data, DI (tDQReportRun), microservices to be rebuilt - TPS-5140 (06-MAY-22).

All other versions

Not impacted

Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. CVE-2022-22963 is not applicable to Studio.

Talend Cloud Applications All Yes As of April 1, we implemented blocking of external exploitation attempts on Talend Cloud Products for these CVEs. However, we will also update any Talend Cloud application that has a dependency on Spring. No impact for customers.

Remote Engine Gen1

All

Not impacted

CVE-2022-22963 is not applicable to the RE Gen 1. Spring beans are not exposed in the RE Gen 1, so CVE-2022-22965 doesn’t apply. However, we updated Spring to a fixed version in Talend Remote Engine v2.12.0.

Remote Engine Gen1

(Marketplace)

All

Not impacted

CVE-2022-22963 is not applicable to the RE Gen 1.

Spring beans are not exposed in the RE Gen 1, so CVE-2022-22965 doesn’t apply. However, we updated Spring to a fixed version in Talend Remote Engine v2.12.0, which is available in the AWS Marketplace (26-MAY-22) and Azure Marketplace (31-MAY-22).

Remote Engine Gen2

All

Yes

The Remote Engine Gen 2 was updated in the R2022-05 release (a re-start might be required to download the updated image).

Talend Data Preparation 8.0 Yes

TPS-5166 (29-APR-22)

7.3.1 Partial

CVE-2022-22963 does not apply to Data Preparation. However we will issue a patch to delete the affected jar – TPS-5165 (29-APR-22).

The core Spring framework version will not be updated for 7.3. Instead we recommend to customers to use JDK8 to mitigate the issue.

7.2.1

Partial

CVE-2022-22963 does not apply to Data Preparation - the Spring Cloud Function Context jar can be safely deleted.

The core Spring framework version will not be updated for 7.2. Instead we recommend to customers to use JDK8 to mitigate the issue.

All other versions

Not impacted

CVE-2022-22963 does not apply to Data Preparation - the Spring Cloud Function Context jar can be safely deleted.

Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable.

Talend Data Stewardship 8.0 Yes TPS-5190 (06-MAY-22)
7.3.1 Partial

CVE-2022-22963 does not apply to Data Stewardship. However we will issue a patch to delete the affected jar - TPS-5195 (13-MAY-22).

The core Spring framework version will not be updated for 7.3. Instead we recommend to customers to use JDK8 to mitigate the issue.

7.2.1

Partial

CVE-2022-22963 does not apply to Data Stewardship - the Spring Cloud Function Context jar can be safely deleted.

The core Spring framework version will not be updated for 7.2. Instead we recommend to customers to use JDK8 to mitigate the issue.

All other versions

Not impacted

CVE-2022-22963 does not apply to Data Stewardship - the Spring Cloud Function Context jar can be safely deleted.

Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable.

Talend Dictionary Service

8.0

Yes

TPS-5211 (04-MAY-22)

7.3.1

Partial

CVE-2022-22963 does not apply to Dictionary Service - the Spring Cloud Function Context jar can be safely deleted.

The core Spring framework version will not be updated for 7.3. Instead we recommend to customers to use JDK8 to mitigate the issue.

7.2.1

Partial

CVE-2022-22963 does not apply to Dictionary Service - the Spring Cloud Function Context jar can be safely deleted.

The core Spring framework version will not be updated for 7.2. Instead we recommend to customers to use JDK8 to mitigate the issue.

All other versions

Not impacted

CVE-2022-22963 does not apply to Dictionary Service - the Spring Cloud Function Context jar can be safely deleted.

Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable.

Talend SAP RFC Server

8.0

Yes

TPS-5183 (15-APR-22)

7.3.1

Yes

TPS-5182 (15-APR-22)

7.2.1

Yes

TPS-5191 (15-APR-22)

All other versions

Not impacted

  • Talend Administration Center

  • JobServer

  • LogServer

  • Stitch Data Loader

  • Talend Data Catalog

All versions

Not impacted