This statement addresses concerns about ePO and the Spring Framework vulnerability CVE-2022-22965.
Spring Framework security advisory
Description
CVE-2022-22965:
A Spring MVC or Spring WebFlux application running on JDK 9 or later might be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable JAR, which is the default, it isn’t vulnerable to the exploit. But, the nature of the vulnerability is more general, and there might be other ways to exploit it.
The prerequisites for the exploit are:
- JDK 9 or later
- Apache Tomcat as the Servlet container
- Packaged as WAR
- Spring MVC or Spring WebFlux dependency
Research and Conclusions
The latest version of ePO uses JRE version 1.8.0.321 (Java 8), so ePO doesn’t meet the prerequisites for the exploit and isn’t vulnerable.