Security Advisory: Assessment of Flexera's products' exposure to Spring Framework RCE Vulnerability CVE-2022-22965

Resnofendri · ‎Apr 01, 2022

Summary

A critical vulnerability potentially allowing remote code execution in Spring Framework impacting all versions prior to 5.3.18 and prior to 5.2.20. has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2022-22965, and is also commonly referred to as “Spring4Shell”.

This article provides currently available information about the potential impact of the vulnerability on Flexera products.

NOTE: This is an ongoing assessment. Updates will be made to this advisory as further information becomes available.

We also recommend customers proactively monitor the Spring Framework RCE, Early Announcement blog post for continued updates directly from the Spring team.

Flexera product assessment

Product	Potential Exposure to CVE-2022-22965	Potentially Exposed Components or Versions	Fixed Version	Mitigation
AdminStudio	No	N/A	N/A	N/A
App Portal / App broker	No	N/A	N/A	N/A
Cloud Management Platform	No	N/A	N/A	N/A
CloudScape / Foundation	No	N/A	N/A	N/A
Columbus	No	N/A	N/A	N/A
Data Platform	No	N/A	N/A	N/A
FlexNet Manager Suite On Premises	No	N/A	N/A	N/A
FlexNet Manager for Engineering Applications	Yes	All up to 2021 R1 SP2	Pending	See note
Flexera One:
Cloud Cost Optimization (Optima)	No	N/A	N/A	N/A
IT Asset Management	No	N/A	N/A	N/A
IT Visibility	No	N/A	N/A	N/A
SaaS Management	No	N/A	N/A	N/A
Software Vulnerability Manager Cloud	No	N/A	N/A	N/A
Software Vulnerability Manager On Premises	No	N/A	N/A	N/A
Software Vulnerability Research	No	N/A	N/A	N/A
Spider	No	N/A	N/A	N/A
Technopedia	No	N/A	N/A	N/A
Workflow Manager	No	N/A	N/A	N/A

The information on this page reflects:

The assessed status of Flexera's SaaS systems.
The assessed status of all versions of Flexera's products that are still supported (that is, they have not yet reached their End of Life). Product lifecycle dates can be found at https://docs.flexera.com/eol/default.htm.

Information about Spring Framework in FlexNet Manager for Engineering Applications

Current versions of FlexNet Manager for Engineering Applications include a version of Spring Framework components that includes the CVE-2022-22965 vulnerability. However no use of the specific Spring Framework functionality that is the subject of the vulnerability has been identified.

Regardless of this, and out of an abundance of caution, Flexera is planning to release an update to FlexNet Manager for Engineering Applications that contains updated Spring Framework components by the end of May 2022.

Related information

Information about Revenera products: Assessment of Revenera's products' exposure to Spring Framework RCE Vulnerability (CVE-2022-22965)
CVE definition: CVE-2022-22965
Expanded CVE definition: https://www.cve.org/CVERecord?id=CVE-2022-22965
Spring Framework information

Change log

2022-04-01 22:00 UTC: Initial notice posted.

2022-04-05 04:30 UTC: Assessment for initial set of Flexera products posted.

2022-04-07 02:15 UTC: Updated assessment status for CloudScape / Foundation, Data Platform, Cloud Cost Optimization, and IT Visibility.

2022-04-07 23:20 UTC: Updated assessment status for Technopedia.

2022-04-14 18:15 UTC: Updated assessment status for Flexera One IT Asset Management.

2022-04-21 09:25 UTC: Updated assessment status for FlexNet Manager for Engineering Applications.

ChrisG · ‎Apr 04, 2022

This post has been updated to note the current assessment for many Flexera products.

ChrisG · ‎Apr 06, 2022

The assessment status for the following products been updated on this page: CloudScape / Foundation, Data Platform, Cloud Cost Optimization, and IT Visibility

mfranz · ‎Apr 07, 2022

I love how transparent this is being made lately!

ChrisG · ‎Apr 07, 2022

The assessment status for Technopedia has now been updated on this page.

bruce_giles · ‎Apr 13, 2022

Hi Chris, any indication when the assessment for "IT Asset Management" under Flexera One will be completed.

Thanks in Advance

Bruce

afilla · ‎Apr 14, 2022

Is there an update for FNMEA yet?

ChrisG · ‎Apr 15, 2022

@bruce_giles - the status of Flexera One ITAM has now been updated in this article (no potential exposure).

@afilla - at this point in time no potential exposure for FlexNet Manager for Engineering Applications has been identified, but analysis is ongoing.

afilla · ‎Apr 15, 2022

@ChrisG can we get more details on how there is no exposure, as my customer's CSOC has identified that the a SpringFramework 3.x jar file that is vulnerable has been identified in the FNMEA agent's lib directory? They are demanding we upgrade Spring Framework but of course since it is wrapped into FNMEA we cannot do that without an update from Flexera.

kclausen · ‎Apr 15, 2022

@afilla - The current update on FNMEA is that while no exposure has been found to date, the research by Flexera is still "under assessment" - which means that it is still possible that some exposure will be found.

afilla · ‎Apr 15, 2022

@kclausen I received that same message from reading the article and from @ChrisG 's comments. I understand that you haven't published anything. However, it's been 2 weeks since the CVE was announced and we still have no information. That is not a good enough answer. At the end of the day I am going to have to take the system offline if I don't get any "details". I need a real answer with "details".

ChrisG · ‎Apr 21, 2022

Assessment of the exposure status of FlexNet Manager for Engineering Applications has been updated. See the note higher on this page.