CloudBees Security Advisory 2022-03-30

Spring Framework RCE via Data Binding on JDK 9+ Vulnerability (CVE-2022-22965)

CloudBees is aware of the recently disclosed Spring Framework RCE via Data Binding on JDK 9+ vulnerability (CVE-2022-22965). We are currently investigating any impact of this vulnerability on our products and systems. 

Non-impacted products

To the best of our knowledge, the following CloudBees products are not impacted by the vulnerability:

  • CloudBees CI

  • CloudBees Jenkins Platform

  • CloudBees CD/RO

  • CloudBees Feature Management

  • Customer Success Services

  • CloudBees Build Acceleration

  • CloudBees CodeShip

  • CloudBees Console

  • DevOptics

Note: The vulnerability can only be exploited with a combination of components. Some CloudBees products do have Spring Framework jars bundled, such as spring-beans. Our investigation shows that none of the products are using spring-webmvc or spring-webflux, making it impossible for the security vulnerability to be exploited as described in CVE-2022-22965.

Under investigation

We are continuing to investigate any impact to these products and systems:

  • Third-party services

We will keep this page updated with our findings.

Update History

2022-03-30 - Initial statement
2022-03-31 - (1) CVE disclosed; Added list of non-impacted products
2022-03-31 - (2) CloudBees CI and CloudBees Jenkins Platform added to list of non-impacted products; Identified products under investigation
2022-03-31 - (3) CloudBees CD/RO added to list of non-impacted products
20222-04-01 - Added note about Spring components