topic RE: CVE-2022-22965: Spring Framework RCE in Product Forum

CVE-2022-22965: Spring Framework RCE

JoshuaLuken — Thu, 31 Mar 2022 19:47:00 GMT

Hello,

Is there any impact to BluePrism from the CVE-2022-22965 vulnerability?

Thanks!

------------------------------
Joshua Luken
------------------------------

RE: CVE-2022-22965: Spring Framework RCE

ewilson — Thu, 31 Mar 2022 20:00:00 GMT

@Joshua Luken,

It's probably best to send this direct to Blue Prism Support.

I'm going to hazard a guess though, and say it’s unlikely. Blue Prism Enterprise is .NET based, and I don't see any reference to Spring in the open source and 3rd party license acknowledgments.

However, I would still suggest you send this query direct to BP Support via the portal.

https://bpdocs.blueprism.com/bp-7-0/en-us/acknowledgements.htm?tocpath=Blue%20Prism%20version%207%7CBlue%20Prism%20Third-Party%20Licenses%20and%20Acknowledgments%7C_____0

Cheers,

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------

RE: CVE-2022-22965: Spring Framework RCE

steven.boggs — Fri, 01 Apr 2022 16:41:00 GMT

On the morning of March 31st, Blue Prism was alerted to the following critical Remote Code Execution vulnerabilities (CVE-2022-22963 & CVE-2022-2296) in spring framework:

CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

Our product security team has investigated these, and we can confirm that Blue Prism is not affected by these vulnerabilities. We do not use the Spring framework in any internally developed Blue Prism projects, and there are no reported concerns with any associated 3rd-party applications such as Logstash, ABBYY, or TrustPortal.

Please route your inquiries and concerns to Blue Prism Global Customer Support if you require any further guidance.

------------------------------
Steve Boggs
Senior Software Support Engineer
Blue Prism
Austin, TX
------------------------------

RE: CVE-2022-22965: Spring Framework RCE

SriGuru_GaneshN — Tue, 05 Apr 2022 10:40:00 GMT

Thanks Steven. Could you please point us to the official communication pdf if any from Blueprism on the same. this will be of great help.

------------------------------
SriGuru Ganesh N G
------------------------------

RE: CVE-2022-22965: Spring Framework RCE

steven.boggs — Tue, 05 Apr 2022 13:43:00 GMT

This information is currently a pinned article on our Knowledge Base landing page, and is available in this article here: https://help.blueprism.com/Installation-Platform/Security/1819550462/Spring-Framework-vulnerability-Blue-Prism-not-affected.htm

------------------------------
Steve Boggs
Senior Software Support Engineer
Blue Prism
Austin, TX
------------------------------