In March 2022, reports emerged relating to multiple vulnerabilities in relation to the Spring Framework and its operating environments. A malicious cyber actor may be able to exploit these vulnerabilities to execute arbitrary code, including malware or ransomware. VMWare has released a security advisory which addresses CVE-2022-22963 in Spring Cloud Function and the CVE-2022-22965 in Spring WebFlux Application. The Spring4Shell vulnerability has been likened to the Apache Log4J vulnerabilities discovered in late 2021. Similarly to Apache Log4j, the Spring Framework is a ubiquitous building block used in potentially hundreds of thousands of applications across the internet, and the vulnerability allows malicious cyber actors to execute arbitrary code on target machines.
Please find related information here: https://www.cyber.gov.au/acsc/view-all-content/alerts/multiple-vulnerabilities-present-spring-framework-java
Inner Range’s Position
None of Inner Range’s products utilize the Spring Framework in any form. All three of our Security and Access Control Systems (Integriti, Inception and Insight), our cloud platforms (SkyTunnel, Skycommand, Keypoint and Multipath), and our alarm reporting devices (T4000) use alternate frameworks and are not affected by this vulnerability.
Whilst Inner Range’s suite of products are not affected by the vulnerability, our statement does not cover various systems that our products are integrated with due to possible vulnerabilities in the 3rd party products. This includes applications that utilize our REST API, DUIM, and Review IO functions. Customers seeking clarification on these should direct their enquiries to the vendors of those 3rd party products.
Spring4Shell Vulnerability Statement – April 2022
The specifications and descriptions of products and services contained in this tech bulletin were correct at the time of publishing. Inner Range reserves the right to change specifications or withdraw products without notice.