Spring4Shell Zero Day Vulnerability - 04.01.2022 12:00 pm MST
Zero-Day Exploit in Spring Framework | Spring4Shell
Crownpeak is actively monitoring the Spring4Shell zero-day CVE-2022-22965 vulnerability. Please see CVE-2022-22963 and CVE-2022-22965. Our operations team has performed a thorough review of internal systems and support applications to determine if Crownpeak systems contain any exposure to the vulnerability. These two vulnerabilities have been discovered almost at the same time and thus tend to get mixed up in the news although they have different attack vectors. At this time, no exploits have been identified while we continue to perform our investigation.
We are actively monitoring and managing the issue and have a team working on identifying potential risks in our software components and services. This article will be updated regularly to provide information about how the vulnerability affects Crownpeak and its ecosystem as well as details on how we handle the issue and what you can do to secure your systems.
Be aware that this vulnerability affects many applications as it's an issue in a framework widely used. The information contained in this article is thus not showing the whole picture but is strongly focused on Crownpeak.
Updates to this article are summarized in the changelog at the end of this article. If you have additional questions or need additional information, please contact the Technical Support team.
Software as a Service (SaaS)
This section covers the use of Crownpeak products and services in a sofware-as-a-service (SaaS) environment, meaning you are a SaaS customer having e-Spirit operate your FirstSpirit ecosystem.
✓ Digital Experience Management Platform
The core of the Digital Experience Management Platform (DXM) is not affected by the vulnerabilities.
✓ Digital Quality Management Platform
The core of the Digital Quality Management Platform (DQM) is not affected by the vulnerabilities.
✓ Digital Governance Management Platform
The core of the Digital Governance Management Platform (DGM) is not affected by the vulnerabilities.
We will update this article as we learn more. Please also keep an eye on this article to immediately learn about new developments.
To learn more about the vulnerability in general and how to address it in you environment we recommend the following resources: