UPDATE (as of 7-Apr 10:00 CDT):
A critical vulnerability potentially allowing remote code execution in Spring Framework impacting all versions prior to 5.3.18 and prior to 5.2.20. has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2022-22965 and is also commonly referred to as “Spring4Shell”.
NOTE: Be advised this is an ongoing assessment. Updates will be made to this advisory as further information becomes available.
We also recommend customers proactively monitor the Spring Framework RCE, Early Announcement blog post for continued updates directly from the Spring team.
Revenera Product Assessment
|Product||Potential Exposure to CVE-2022-22965||Potentially Exposed Component/Version||Fixed Version||Mitigation|
|FlexNet Operations (ALM):|
|Device Activation Service (LFS)||No||N/A||N/A||N/A|
|Notification Server (NS)||No||N/A||N/A||N/A|
|Software Delivery (ESD)||No||N/A||N/A||N/A|
|Usage Analytics Service (UAS)||No||N/A||N/A||N/A|
|FlexNet Operations (LLM): Core app||No||N/A||N/A||N/A|
|FlexNet Operations (On-premise)||No||N/A||N/A||N/A|
|Cloud Licensing Service (CLS)||No||N/A||N/A||N/A|
|FlexNet Embedded SDK||No||N/A||N/A||N/A|
|FlexNet Embedded LLS||No||N/A||N/A||N/A|
|FlexNet Embedded FLSM||No||N/A||N/A||N/A|
|Usage Intelligence SDK||No||N/A||N/A||N/A|
|Compliance Intelligence SDK||No||N/A||N/A||N/A|
Note: The assessed status are of Revenera products versions that are still supported (that is, they have not yet reached their End-of-Life). Product lifecycle dates can be found at https://docs.revenera.com/eol/.
- Information about Flexera products: Flexera's response to Spring Framework vulnerability CVE-2022-22965
- CVE definitions
- Expanded CVE definitions:
- Spring Framework
2022-04-07 10:00 CDT: Assessment updates provided for FlexNet Operations ALM by component and FlexNet Embedded FLSM.
2022-04-05 08:54 CDT: Initial Revenera product assessment details published.
2022-03-31 16:00 CDT: Initial security advisory.
INITIAL SECURITY ADVISORY (31-Mar 15:47 CDT):
Please be advised of a recent remote code execution (RCE) vulnerability discovered in Spring Framework. For details about the following vulnerabilities, please see the resources below:
- Spring Framework RCE, Early Announcement
- CVE-2022-22965: https://tanzu.vmware.com/security/cve-2022-22965
Based on the information currently available, Revenera product teams are actively investigating the impact, if any, this vulnerability may have on our solutions, and we will continue to monitor for updates from security experts. We also recommend customers proactively monitor the Spring Framework RCE, Early Announcement blog post for continued updates directly from the Spring team.
We appreciate your patience during this time as we work to complete our product assessments. We will provide status updates once we have more information about the scope of the vulnerability’s impact, and if any remediation steps are required.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.