Spring4Shell Issue (CVE-2022-22965; CVE-2022-22963)
Publication Date: April 6th, 2022
Important : For more recent security updates, see the Trust Center Updates section on Qlik Security Portal . Subscribe to the Trust Center Updates to be notified by email when a security update is published.
According to the information published on https://tanzu.vmware.com/security/cve-2022-22965 , the exploit for CVE-2022-22965 impacts systems with all of the following characteristics:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency
On-premise customers who are concerned about possible exposure to this vulnerability can mitigate the issue by using JDK 8 and/or Apache Tomcat 9.0.62+, which contains a fix to harden the class-loader to mitigate this exploit. Out of an abundance of caution, we will release patches to update to a fixed version of Spring for both CVE-2022-22965 and CVE-2022-22963 as per the following table.
|
Product |
Version |
Impact |
Comments |
|
ESB Runtime
|
8.0 |
Yes |
Will be patched in 8.0.1-R2022-04 monthly release |
|
7.3 |
Yes |
Will be patched in 7.3.1-R2022-04 monthly release |
|
|
7.2 |
Yes |
Patch information pending |
|
|
All other versions |
Not impacted |
Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. CVE-2022-22963 is not applicable to ESB Runtime. |
|
|
IAM |
8.0 |
Yes |
Patch information pending |
|
7.3 |
Yes |
Patch information pending |
|
|
7.2 |
Yes |
Patch information pending |
|
|
All other versions |
Not impacted |
Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. CVE-2022-22963 is not applicable to IAM.
|
|
|
MDM
|
8.0 |
Yes |
Patch will be available on 11-APR-22 |
|
7.3 |
Yes |
Patch will be available on 08-APR-22 |
|
|
7.2 |
TBC |
|
|
|
All other versions |
TBC |
|
|
|
Talend Studio |
8.0 |
Yes |
ESB, Big Data, DI (tDQReportRun), microservices to be rebuilt - R2022-04 (no date yet) |
|
7.3 |
Yes |
ESB, Big Data, DI (tDQReportRun), microservices to be rebuilt - R2022-04 (no date yet) |
|
|
7.2 |
Yes |
ESB, microservices to be rebuilt - Patch information pending |
|
|
All other versions |
Not impacted
|
Since we only support Java 8 with these versions, the published exploit for CVE-2022-22965 is not applicable. CVE-2022-22963 is not applicable to Studio. |
|
|
Talend Cloud Applications |
All |
Yes |
As of April 1, we implemented blocking of external exploitation attempts on Talend Cloud Products for these CVEs. However, we will also update any Talend Cloud application that has a dependency on Spring. No impact for customers. |
|
Remote Engine Gen1 |
All |
Yes |
Patch information pending |
|
Remote Engine Gen1 (Marketplace) |
All |
Yes |
Patch information pending |
|
Remote Engine Gen2 |
All |
Yes |
Patch information pending |
|
Talend Data Preparation |
8.0 |
Yes |
Patch information pending |
|
7.3.1 |
Yes |
Patch information pending |
|
|
7.2.1 |
TBC |
|
|
|
All other versions |
TBC |
|
|
|
Talend Data Stewardship |
8.0 |
Yes |
Patch information pending |
|
7.3.1 |
Yes |
Patch information pending |
|
|
7.2.1 |
TBC |
|
|
|
All other versions |
TBC |
|
|
|
Talend SAP RFC Server |
8.0 |
Yes |
Patch information pending |
|
7.3.1 |
Yes |
Patch information pending |
|
|
7.2.1 |
TBC |
|
|
|
All other versions |
Not impacted |
|
|
|
All versions |
Not impacted |
|