0-day Vulnerabilities in Spring (Spring4Shell and CVE-2022-22963/CVE-2022-22965)

Summary

On Tuesday, March 29, news of potential vulnerabilities in the Spring Framework was surfaced. The Spring Framework is a very popular framework used by Java developers to build modern applications and is owned by VMware.

Spring is providing regular updated via its support blog: Spring Framework RCE, Early Announcement

We have not received any reports of these issues from SolarWinds customers but are actively investigating. SolarWinds strongly recommends all customers disconnect their public-facing (internet-facing) installations of these SolarWinds products from the internet.

  • Web Help Desk

SolarWinds is actively investigating these vulnerabilities and will provide regular updates as new information becomes available and is validated. Out of an abundance of caution, we are working on updates to these products to include the latest version of the Spring Framework the Spring team has made available today, and we will alert customers to its availability once completed.

For the most recent information, please see SolarWinds Trust Center Security Advisories | Spring4Shell in the SolarWinds Trust Center.

Fixed Version

Revisions

Date Revision
31-MAR-2022 Initial publication
06-APR-2022 Added fixed version information
Anonymous