This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security Advisory: Assessment of Flexera's products' exposure to Spring Framework RCE Vulnerability CVE-2022-22965

Resnofendri
By
Flexera Alumni

Summary

A critical vulnerability potentially allowing remote code execution in Spring Framework impacting all versions prior to 5.3.18 and prior to 5.2.20. has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2022-22965, and is also commonly referred to as “Spring4Shell”.

This article provides currently available information about the potential impact of the vulnerability on Flexera products.

NOTE: This is an ongoing assessment. Updates will be made to this advisory as further information becomes available.

We also recommend customers proactively monitor the Spring Framework RCE, Early Announcement blog post for continued updates directly from the Spring team.

Flexera product assessment

Product

Potential Exposure to CVE-2022-22965

Potentially Exposed Components or Versions

Fixed Version

Mitigation

AdminStudio

No

N/A

N/A

N/A

App Portal / App broker

No

N/A

N/A

N/A

Cloud Management Platform

No

 N/A N/A N/A

CloudScape / Foundation

No

N/A

N/A

N/A

Columbus

No

N/A

N/A

N/A

Data Platform

No

 N/A N/A N/A

FlexNet Manager Suite On Premises

No

N/A

N/A

N/A

FlexNet Manager for Engineering Applications

Yes

All up to 2021 R1 SP2

Pending

See note

Flexera One:

  

 

 

 

Cloud Cost Optimization (Optima)

No

 N/A N/A N/A

IT Asset Management

No

 N/A N/A N/A

IT Visibility

No

 N/A N/A N/A

SaaS Management

No

N/A

N/A

N/A

Software Vulnerability Manager Cloud

No

N/A

N/A

N/A

Software Vulnerability Manager On Premises

No

N/A

N/A

N/A

Software Vulnerability Research

No

N/A

N/A

N/A

Spider

No

N/A

N/A

N/A

Technopedia

No

N/A

N/A

N/A

Workflow Manager

No

N/A

N/A

N/A

 

The information on this page reflects:

  • The assessed status of Flexera's SaaS systems.
  • The assessed status of all versions of Flexera's products that are still supported (that is, they have not yet reached their End of Life). Product lifecycle dates can be found at https://docs.flexera.com/eol/default.htm.

Information about Spring Framework in FlexNet Manager for Engineering Applications

Current versions of FlexNet Manager for Engineering Applications include a version of Spring Framework components that includes the CVE-2022-22965 vulnerability. However no use of the specific Spring Framework functionality that is the subject of the vulnerability has been identified.

Regardless of this, and out of an abundance of caution, Flexera is planning to release an update to FlexNet Manager for Engineering Applications that contains updated Spring Framework components by the end of May 2022.

Related information

Change log

2022-04-01 22:00 UTC: Initial notice posted.

2022-04-05 04:30 UTC: Assessment for initial set of Flexera products posted.

2022-04-07 02:15 UTC: Updated assessment status for CloudScape / Foundation, Data Platform, Cloud Cost Optimization, and IT Visibility.

2022-04-07 23:20 UTC: Updated assessment status for Technopedia.

2022-04-14 18:15 UTC: Updated assessment status for Flexera One IT Asset Management.

2022-04-21 09:25 UTC: Updated assessment status for FlexNet Manager for Engineering Applications.

‎Apr 01, 2022 05:13 PM
(11) Comments