cancel
Showing results for 
Search instead for 
Did you mean: 

CVE-2022-22965: Spring Framework RCE

JoshuaLuken
Level 2

Hello,

Is there any impact to BluePrism from the CVE-2022-22965 vulnerability?

Thanks!



------------------------------
Joshua Luken
------------------------------
1 BEST ANSWER

Helpful Answers

ewilson
Staff
Staff

@Joshua Luken,

It's probably best to send this direct to Blue Prism Support.​

I'm going to hazard a guess though, and say it’s unlikely. Blue Prism Enterprise is .NET based, and I don't see any reference to Spring in the open source and 3rd party license acknowledgments.

However, I would still suggest you send this query direct to BP Support via the portal.

https://bpdocs.blueprism.com/bp-7-0/en-us/acknowledgements.htm?tocpath=Blue%20Prism%20version%207%7CBlue%20Prism%20Third-Party%20Licenses%20and%20Acknowledgments%7C_____0


Cheers,

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------

View answer in original post

4 REPLIES 4

ewilson
Staff
Staff

@Joshua Luken,

It's probably best to send this direct to Blue Prism Support.​

I'm going to hazard a guess though, and say it’s unlikely. Blue Prism Enterprise is .NET based, and I don't see any reference to Spring in the open source and 3rd party license acknowledgments.

However, I would still suggest you send this query direct to BP Support via the portal.

https://bpdocs.blueprism.com/bp-7-0/en-us/acknowledgements.htm?tocpath=Blue%20Prism%20version%207%7CBlue%20Prism%20Third-Party%20Licenses%20and%20Acknowledgments%7C_____0


Cheers,

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------

steven.boggs
Staff
Staff

On the morning of March 31st, Blue Prism was alerted to the following critical Remote Code Execution vulnerabilities (CVE-2022-22963 & CVE-2022-2296) in spring framework:

  • CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
  • CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

Our product security team has investigated these, and we can confirm that Blue Prism is not affected by these vulnerabilities. We do not use the Spring framework in any internally developed Blue Prism projects, and there are no reported concerns with any associated 3rd-party applications such as Logstash, ABBYY, or TrustPortal.

Please route your inquiries and concerns to Blue Prism Global Customer Support if you require any further guidance.



------------------------------
Steve Boggs
Senior Software Support Engineer
Blue Prism
Austin, TX
------------------------------

Thanks Steven. Could you please point us to the official communication pdf if any from Blueprism on the same. this will be of great help.

------------------------------
SriGuru Ganesh N G
------------------------------

This information is currently a pinned article on our Knowledge Base landing page, and is available in this article here: https://help.blueprism.com/Installation-Platform/Security/1819550462/Spring-Framework-vulnerability-Blue-Prism-not-affected.htm

------------------------------
Steve Boggs
Senior Software Support Engineer
Blue Prism
Austin, TX
------------------------------