Spring4Shell Zero Day Vulnerability - 04.01.2022 12:00 pm MST

Zero-Day Exploit in Spring Framework | Spring4Shell

Crownpeak is actively monitoring the Spring4Shell zero-day CVE-2022-22965 vulnerability.  Please see CVE-2022-22963 and CVE-2022-22965. Our operations team has performed a thorough review of internal systems and support applications to determine if Crownpeak systems contain any exposure to the vulnerability.  These two vulnerabilities have been discovered almost at the same time and thus tend to get mixed up in the news although they have different attack vectors. At this time, no exploits have been identified while we continue to perform our investigation. 

We are actively monitoring and managing the issue and have a team working on identifying potential risks in our software components and services. This article will be updated regularly to provide information about how the vulnerability affects Crownpeak and its ecosystem as well as details on how we handle the issue and what you can do to secure your systems. 

Be aware that this vulnerability affects many applications as it's an issue in a framework widely used. The information contained in this article is thus not showing the whole picture but is strongly focused on Crownpeak.

Updates to this article are summarized in the changelog at the end of this article. If you have additional questions or need additional information, please contact the Technical Support team.

Software as a Service (SaaS)

This section covers the use of Crownpeak products and services in a sofware-as-a-service (SaaS) environment, meaning you are a SaaS customer having e-Spirit operate your FirstSpirit ecosystem.

✓ Digital Experience Management Platform

The core of the Digital Experience Management Platform (DXM) is not affected by the vulnerabilities. 

✓ Digital Quality Management Platform

The core of the Digital Quality Management Platform (DQM) is not affected by the vulnerabilities. 

✓ Digital Governance Management Platform

The core of the Digital Governance Management Platform (DGM) is not affected by the vulnerabilities. 

Further Information

We will update this article as we learn more. Please also keep an eye on this article to immediately learn about new developments.

To learn more about the vulnerability in general and how to address it in you environment we recommend the following resources:

• Spring4Shell: Security Analysis of the latest Java RCE '0-day' vulnerabilities in Spring
• CVE-2022-22963 in the National Vulnerability Database
• CVE-2022-22965 in the National Vulnerability Database
• SpringShell (Spring4Shell) Zero-Day Vulnerability CVE-2022-22965 : All You Need To Know

If you have any questions regarding this matter, please contact our Technical Support team who will provide answers and help keeping your FirstSpirit system secure to our best knowledge.