Press Release

Post category icon

Press Release

Edifecs Update on Spring4Shell Vulnerability

April 01, 2022

Edifecs is actively responding to CVE-2022-22965 – This vulnerability is a class manipulation vulnerability and is currently being discussed publicly as Spring4Shell or SpringShell. The vulnerability affects SpringMVC and Spring WebFlux applications running on JDK 9+. CVE-2022-22965 was assigned to track the vulnerability on March 31, 2022.

The specific exploit requires the application to run on Tomcat as a “WAR” deployment. If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Once Edifecs became aware of the CVEs, our Security Operations team launched an investigation. Edifecs has completed vulnerability scans for Spring4Shell on all external facing environments and is happy to report that no exploitable Spring4Shell vulnerabilities were found. The team continues to assess the impact to Edifecs’ products and services across both its corporate and production environments including running extensive internal scans.

We want you to know that we take this and all security vulnerabilities seriously. We hope this information helps you to rest easy knowing that we take your solution and operational security seriously. More updates will be published on our response page: Edifecs Update on Spring4Shell Vulnerability and the Edifecs ServiceDesk portal: https://support.edifecs.com.

For any further questions or assistance, please feel free to reach out to our Product Support team via the Edifecs ServiceDesk:  https://support.edifecs.com or send an emailto support@edifecs.com or call us at: 1-855-333-4462.

Useful links:

https://support.edifecs.com/support/solutions/articles/9000213637-edifecs-response-to-cve-2022-22965

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability