cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security Advisory: Assessment of Flexera's products' exposure to Spring Framework RCE Vulnerability CVE-2022-22965

Resnofendri
Level 7 Flexeran
Level 7 Flexeran
8 11 3,122

Summary

A critical vulnerability potentially allowing remote code execution in Spring Framework impacting all versions prior to 5.3.18 and prior to 5.2.20. has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2022-22965, and is also commonly referred to as “Spring4Shell”.

This article provides currently available information about the potential impact of the vulnerability on Flexera products.

NOTE: This is an ongoing assessment. Updates will be made to this advisory as further information becomes available.

We also recommend customers proactively monitor the Spring Framework RCE, Early Announcement blog post for continued updates directly from the Spring team.

Flexera product assessment

Product

Potential Exposure to CVE-2022-22965

Potentially Exposed Components or Versions

Fixed Version

Mitigation

AdminStudio

No

N/A

N/A

N/A

App Portal / App broker

No

N/A

N/A

N/A

Cloud Management Platform

No

N/A N/A N/A

CloudScape / Foundation

No

N/A

N/A

N/A

Columbus

No

N/A

N/A

N/A

Data Platform

No

N/A N/A N/A

FlexNet Manager Suite On Premises

No

N/A

N/A

N/A

FlexNet Manager for Engineering Applications

Yes

All up to 2021 R1 SP2

Pending

See note

Flexera One:

 

 

 

 

Cloud Cost Optimization (Optima)

No

N/A N/A N/A

IT Asset Management

No

N/A N/A N/A

IT Visibility

No

N/A N/A N/A

SaaS Management

No

N/A

N/A

N/A

Software Vulnerability Manager Cloud

No

N/A

N/A

N/A

Software Vulnerability Manager On Premises

No

N/A

N/A

N/A

Software Vulnerability Research

No

N/A

N/A

N/A

Spider

No

N/A

N/A

N/A

Technopedia

No

N/A

N/A

N/A

Workflow Manager

No

N/A

N/A

N/A

 

The information on this page reflects:

  • The assessed status of Flexera's SaaS systems.
  • The assessed status of all versions of Flexera's products that are still supported (that is, they have not yet reached their End of Life). Product lifecycle dates can be found at https://docs.flexera.com/eol/default.htm.

Information about Spring Framework in FlexNet Manager for Engineering Applications

Current versions of FlexNet Manager for Engineering Applications include a version of Spring Framework components that includes the CVE-2022-22965 vulnerability. However no use of the specific Spring Framework functionality that is the subject of the vulnerability has been identified.

Regardless of this, and out of an abundance of caution, Flexera is planning to release an update to FlexNet Manager for Engineering Applications that contains updated Spring Framework components by the end of May 2022.

Related information

Change log

2022-04-01 22:00 UTC: Initial notice posted.

2022-04-05 04:30 UTC: Assessment for initial set of Flexera products posted.

2022-04-07 02:15 UTC: Updated assessment status for CloudScape / Foundation, Data Platform, Cloud Cost Optimization, and IT Visibility.

2022-04-07 23:20 UTC: Updated assessment status for Technopedia.

2022-04-14 18:15 UTC: Updated assessment status for Flexera One IT Asset Management.

2022-04-21 09:25 UTC: Updated assessment status for FlexNet Manager for Engineering Applications.

11 Comments
ChrisG
Community Manager Community Manager
Community Manager

This post has been updated to note the current assessment for many Flexera products.

ChrisG
Community Manager Community Manager
Community Manager

The assessment status for the following products been updated on this page: CloudScape / Foundation, Data Platform, Cloud Cost Optimization, and IT Visibility

mfranz
Level 16 Champion
Level 16 Champion

I love how transparent this is being made lately!

ChrisG
Community Manager Community Manager
Community Manager

The assessment status for Technopedia has now been updated on this page.

bruce_giles
Level 7

Hi Chris, any indication when the assessment for  "IT Asset Management" under Flexera One will be completed.

 

Thanks in Advance

Bruce

afilla
Level 6

Is there an update for FNMEA yet?

ChrisG
Community Manager Community Manager
Community Manager

@bruce_giles - the status of Flexera One ITAM has now been updated in this article (no potential exposure).

@afilla - at this point in time no potential exposure for FlexNet Manager for Engineering Applications has been identified, but analysis is ongoing.

afilla
Level 6

@ChrisG can we get more details on how there is no exposure, as my customer's CSOC has identified that the a SpringFramework 3.x jar file that is vulnerable has been identified in the FNMEA agent's lib directory? They are demanding we upgrade Spring Framework but of course since it is wrapped into FNMEA we cannot do that without an update from Flexera.

kclausen
Flexera Alumni

@afilla - The current update on FNMEA is that while no exposure has been found to date, the research by Flexera is still "under assessment" - which means that it is still possible that some exposure will be found.

afilla
Level 6

@kclausen I received that same message from reading the article and from @ChrisG 's comments. I understand that you haven't published anything. However, it's been 2 weeks since the CVE was announced and we still have no information. That is not a good enough answer. At the end of the day I am going to have to take the system offline if I don't get any "details". I need a real answer with "details".

ChrisG
Community Manager Community Manager
Community Manager

Assessment of the exposure status of FlexNet Manager for Engineering Applications has been updated. See the note higher on this page.