CloudBees Security Advisory2022-03-30

Spring Framework RCE via Data Binding on JDK 9+ Vulnerability (CVE-2022-22965)
CloudBees is aware of the recently disclosed Spring Framework RCE via Data Binding on JDK 9+ vulnerability (CVE-2022-22965). We are currently investigating any impact of this vulnerability on our products and systems.
Non-impacted products
To the best of our knowledge, the following CloudBees products are not impacted by the vulnerability:
- CloudBees CI
- CloudBees Jenkins Platform
- CloudBees CD/RO
- CloudBees Feature Management
- Customer Success Services
- CloudBees Build Acceleration
- CloudBees CodeShip
- CloudBees Console
- DevOptics
Note: The vulnerability can only be exploited with a combination of components. Some CloudBees products do have Spring Framework jars bundled, such as spring-beans. Our investigation shows that none of the products are using spring-webmvc or spring-webflux, making it impossible for the security vulnerability to be exploited as described in CVE-2022-22965.
Under investigation
We are continuing to investigate any impact to these products and systems:
- Third-party services
We will keep this page updated with our findings.
Update History
2022-03-30 - Initial statement
2022-03-31 - (1) CVE disclosed; Added list of non-impacted products
2022-03-31 - (2) CloudBees CI and CloudBees Jenkins Platform added to list of non-impacted products; Identified products under investigation
2022-03-31 - (3) CloudBees CD/RO added to list of non-impacted products
20222-04-01 - Added note about Spring components
Note
Warning