A critical vulnerability potentially allowing remote code execution in Spring Framework impacting all versions prior to 5.3.18 and prior to 5.2.20. has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2022-22965, and is also commonly referred to as “Spring4Shell”.
This article provides currently available information about the potential impact of the vulnerability on Flexera products.
NOTE: This is an ongoing assessment. Updates will be made to this advisory as further information becomes available.
The assessed status of all versions of Flexera's products that are still supported (that is, they have not yet reached their End of Life). Product lifecycle dates can be found at https://docs.flexera.com/eol/default.htm.
Information about Spring Framework in FlexNet Manager for Engineering Applications
Current versions of FlexNet Manager for Engineering Applications include a version of Spring Framework components that includes the CVE-2022-22965 vulnerability. However no use of the specific Spring Framework functionality that is the subject of the vulnerability has been identified.
Regardless of this, and out of an abundance of caution, Flexera is planning to release an update to FlexNet Manager for Engineering Applications that contains updated Spring Framework components by the end of May 2022.