First released: 2022-04-04
Last updated: 2022-05-10
Status: final
Summary
Critical Vulnerabilities in the Java Spring Framework
On March 31st 2022, the following critical vulnerability in the Java Spring Framework affecting versions 5.3.x prior to 5.3.18 and 5.2.x prior to 5.2.20 as well as all older and unsupported versions was disclosed:
- CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
On March 29th, 2022, the following critical vulnerability in the Java Spring Cloud Functions versions 3.1.6, 3.2.2 and older unsupported versions was disclosed:
- CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression
ETAS's Response to These Vulnerabilities
ETAS assesses all products and services for impact from all listed CVEs. CVE-2022-22963 is not applicable to any of ETAS’s products. The remainder of the document thus handles CVE-2022-22965.
Affected Products
SaaS Offerings
All ETAS SaaS offerings have been analyzed and were either not affected or updated/mitigated where applicable. No systems were compromised.
Vulnerable Products
No products have been identified to be vulnerable to exploitation of the listed CVEs.
Products Confirmed Not Vulnerable
Data Acquisition and Processing
- ASCMO
- EATB
- INCA
- INCA-EIP
- INCA-FLEXRAY
- INCA-LIN
- INCA-MCE
- INCA-MIP
- INCA-QM-BASIC
- INCA-TOUCH
- ODX-LINK
- INCA-FLOW
- INCA-RDE
- MDA
- MDF-IP
- XCP-IP
Development Tools
- ASCET
- COSYM
- EHANDBOOK
- SCODE
Vehicle OS
- ISOLAR
- ISOLAR-A
- ISOLAR-B
- ISOLAR-EVE
- RTA
- RTA-CAR
- RTA-OS
- RTA-RTE
- RTA-BSW
- RTA-FBL
- RTA-VRTE
- RTA-LWHVR
- RTA-SUM
- MCAL-IFX