0-day Vulnerabilities in Spring (Spring4Shell and CVE-2022-22963/CVE-2022-22965)
Summary
On Tuesday, March 29, news of potential vulnerabilities in the Spring Framework was surfaced. The Spring Framework is a very popular framework used by Java developers to build modern applications and is owned by VMware.
Spring is providing regular updated via its support blog: Spring Framework RCE, Early Announcement
We have not received any reports of these issues from SolarWinds customers but are actively investigating. SolarWinds strongly recommends all customers disconnect their public-facing (internet-facing) installations of these SolarWinds products from the internet.
- Database Performance Analyzer
Additionally, we recommend users of these products ensure they are referencing our best practices and recommendations as follows:
- Database Performance Analyzer (DPA): Please review the DPA Secure Configuration Guide Best Practices and Recommendations
SolarWinds is actively investigating these vulnerabilities and will provide regular updates as new information becomes available and is validated. Out of an abundance of caution, we are working on updates to these products to include the latest version of the Spring Framework the Spring team has made available today, and we will alert customers to its availability once completed.
For the most recent information, please see SolarWinds Trust Center Security Advisories | Spring4Shell in the SolarWinds Trust Center.
Fixed Version
- Database Performance Analyzer (DPA) 2022.1.7779 [Release Notes]
Revisions
Date | Revision |
---|---|
31-MAR-2022 | Initial publication |
07-APR-2022 | Added fixed version information |