CAST and Spring4Shell vulnerability

Vulnerabilities have been discovered lately on Spring4Shell, CVE-20222-22963 (Remote code execution in Spring Cloud Function by malicious Spring Expression )  & CVE-2022-22965 (Spring Core Remote Code Execution Vulnerability Exploited In the Wild (SpringShell))

We are currently assessing the impact on our products and working on remediation, we will update this page as soon as new information is available,as well as the following doc page :

https://doc.castsoftware.com/display/CAST/Spring+Framework+-+CVE+vulnerabilities

So far what we can assess :

CAST Highlight is not impacted :

  • CVE-2022-22963 - This component is not used in CAST Highlight
  • CVE-2022-22965 - CAST Highlight is not packaged as a traditional WAR (we deploy a Spring Boot executable jar) and Highlight doesn't use parameters binding as our APIs uses JSON and XML
Highlight upgrade to Spring Boot 2.5.12 to address Spring4Shell vulnerability (CVE-2022-22965) has been done.

CVE-2022-22963

  • AIP Core platform is not impacted
  • CAST Imaging is not impacted
  • CAST AIP Console/AIP node  isnot impacted
  • Analyzers (CAST official extensions) are not impacted
  • CAST Dashboards are not impacted

 

CVE-2022-22965

 

CAST will release updates for the impacted releases in the coming days,

 

 

 

Have more questions? Submit a request

Comments

Powered by Zendesk