CVE Summary : A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
CVE Reference : https://nvd.nist.gov/vuln/detail/CVE-2022-22965
Logpoint Summary :
LogPoint uses spring framework in report engine, to connect with MongoDB using Spring-Mongo api. So, as transitive dependencies, spring-beans-3.1.2.RELEASE.jar is used. LogPoint does not have external exposure with this spring library as we are not using controller and accepting web requests via spring framework. Thus, we are not directly impacted by this vulnerability. We are also safe because of the following:
- We are not using any spring web framework.
- We are using Java 8 not Java 9 and beyond.
- We are not packaging in WAR and not using any servlet containers.
Director
- For LPSM, the impact is the same as for LogPoint.
- For other components in Director, we are not using spring libraries.
- We are still using Java 8 all across the product line.
Soar
- Currently any SOAR container running Java are running on OpenJDK 8 Alpine base containers.