CVE-2022-22963 and Spring4Shell

Two critical vulnerabilities have been announced for the Java Spring Framework. An update path has been defined on Black Duck to resolve the first vulnerability (CVE-2022-22963), which is tracked under the number BDSA-2022-0850 in the Synopsys Black Duck Knowledge Base. 

The second vulnerability, Spring4Shell, allows an attacker to remotely execute commands under certain conditions. A CVE has not yet been identified for this, but the Synopsys Cybersecurity Research team is actively working on the vulnerability and will soon publish a detailed impact report and recommendations on steps to remediate the risk.

These vulnerabilities remind us once again how important it is to know which open source components we use and prioritize vulnerabilities.

A software composition analysis (SCA) solution like Synopsys Black Duck does exactly that. It can create a Software Bill of Materials (SBOM) for an application and proactively notify you when new vulnerabilities are disclosed in the components you use.

Currently, our existing Black Duck customers can access the information of their affected applications for both these vulnerabilities on their Black Duck panels.

As Forcerta, we will be happy to provide detailed information if needed. You can contact us by sending an e-mail to [email protected] or by filling out the form below.

You can find detailed information here:

• • Spring Framework RCE, Early Announcement
  • CyRC Vulnerability Analysis: Two distinct Spring vulnerabilities discovered – Spring4Shell and CVE-2022-22963 – Security Boulevard