Vulnerability in Spring Framework Remote Code Execution affect WithSecure Products
On March 31, 2022, a critical vulnerability was announced in the Spring framework, which is used by many vendors with Java based products.
WithSecure is aware of this vulnerability affecting the Spring MVC (CVE-2022-22965) of the Spring Framework.
As part of WithSecure investigation, we found that the framework is used in the following WithSecure™ products are affected:
- F-Secure Policy Manager Version 15 onwards
- F-Secure Policy Manager for Linux Version 15 onwards
- F-Secure Policy Manager Proxy Version 15 onwards
- F-Secure Elements Connector (all versions)
During the investigations, it was determined that while these products include the affected version of Spring Framework, they are not exploitable by any currently known exploits. WithSecure™ teams have created fixes for these products:
Policy Manager: https://download.f-secure.com/corpro/pm/pms-pmp-hotfix-spring4shell-5.2.20.zip (applies to all affected versions)
Elements Connector: https://download.sp.f-secure.com/PSB/latest/installer/ec-hotfix-spring4shell-5.2.20.zip
Some third-party vulnerability scanners detect these products as affected, but they are simply checking the version of the Spring Framework and not actively checking the product configuration to see if they are exploitable.
For a description of this vulnerability, see VMware Spring Framework Security Vulnerability Report.
We will update the advisory page as additional information becomes available.