Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CVE-2022-22965: Spring Framework RCE

Go to answer
JoshuaLuken
Level 2

‎31-03-22 08:47 PM

Hello,

Is there any impact to BluePrism from the CVE-2022-22965 vulnerability?

Thanks!



------------------------------
Joshua Luken
------------------------------
1 BEST ANSWER

Best Answers

Go to answer
ewilson
Staff
Staff

‎31-03-22 09:00 PM

@Joshua Luken,

It's probably best to send this direct to Blue Prism Support.​

I'm going to hazard a guess though, and say it’s unlikely. Blue Prism Enterprise is .NET based, and I don't see any reference to Spring in the open source and 3rd party license acknowledgments.

However, I would still suggest you send this query direct to BP Support via the portal.

https://bpdocs.blueprism.com/bp-7-0/en-us/acknowledgements.htm?tocpath=Blue%20Prism%20version%207%7CBlue%20Prism%20Third-Party%20Licenses%20and%20Acknowledgments%7C_____0


Cheers,

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------

View answer in original post

0 Likes
4 REPLIES 4

Go to answer
ewilson
Staff
Staff

‎31-03-22 09:00 PM

@Joshua Luken,

It's probably best to send this direct to Blue Prism Support.​

I'm going to hazard a guess though, and say it’s unlikely. Blue Prism Enterprise is .NET based, and I don't see any reference to Spring in the open source and 3rd party license acknowledgments.

However, I would still suggest you send this query direct to BP Support via the portal.

https://bpdocs.blueprism.com/bp-7-0/en-us/acknowledgements.htm?tocpath=Blue%20Prism%20version%207%7CBlue%20Prism%20Third-Party%20Licenses%20and%20Acknowledgments%7C_____0


Cheers,

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------
0 Likes

Go to answer
SteveBoggs
Staff
Staff

‎01-04-22 05:41 PM

On the morning of March 31st, Blue Prism was alerted to the following critical Remote Code Execution vulnerabilities (CVE-2022-22963 & CVE-2022-2296) in spring framework:

  • CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
  • CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

Our product security team has investigated these, and we can confirm that Blue Prism is not affected by these vulnerabilities. We do not use the Spring framework in any internally developed Blue Prism projects, and there are no reported concerns with any associated 3rd-party applications such as Logstash, ABBYY, or TrustPortal.

Please route your inquiries and concerns to Blue Prism Global Customer Support if you require any further guidance.



------------------------------
Steve Boggs
Senior Software Support Engineer
Blue Prism
Austin, TX
------------------------------

Go to answer
SriGuru_GaneshN
Level 3
In response to SteveBoggs

‎05-04-22 11:40 AM

Thanks Steven. Could you please point us to the official communication pdf if any from Blueprism on the same. this will be of great help.

------------------------------
SriGuru Ganesh N G
------------------------------
0 Likes

Go to answer
SteveBoggs
Staff
Staff
In response to SriGuru_GaneshN

‎05-04-22 02:43 PM

This information is currently a pinned article on our Knowledge Base landing page, and is available in this article here: https://help.blueprism.com/Installation-Platform/Security/1819550462/Spring-Framework-vulnerability-Blue-Prism-not-affected.htm

------------------------------
Steve Boggs
Senior Software Support Engineer
Blue Prism
Austin, TX
------------------------------
0 Likes