CloudBees Security Advisory 2022-03-30

Spring Framework RCE via Data Binding on JDK 9+ Vulnerability (CVE-2022-22965)

CloudBees is aware of the recently disclosed Spring Framework RCE via Data Binding on JDK 9+ vulnerability (CVE-2022-22965). We are currently investigating any impact of this vulnerability on our products and systems. 

Non-impacted products

To the best of our knowledge, the following CloudBees products are not impacted by the vulnerability:

  • CloudBees CI

  • CloudBees Jenkins Platform

  • CloudBees CD/RO

  • CloudBees Feature Management

  • Customer Success Services

  • CloudBees Build Acceleration

  • CloudBees CodeShip

  • CloudBees Console

  • DevOptics

Note: The vulnerability can only be exploited with a combination of components. Some CloudBees products do have Spring Framework jars bundled, such as spring-beans. Our investigation shows that none of the products are using spring-webmvc or spring-webflux, making it impossible for the security vulnerability to be exploited as described in CVE-2022-22965.

Under investigation

We are continuing to investigate any impact to these products and systems:

  • Third-party services

We will keep this page updated with our findings.

Update History

2022-03-30 - Initial statement
2022-03-31 - (1) CVE disclosed; Added list of non-impacted products
2022-03-31 - (2) CloudBees CI and CloudBees Jenkins Platform added to list of non-impacted products; Identified products under investigation
2022-03-31 - (3) CloudBees CD/RO added to list of non-impacted products
20222-04-01 - Added note about Spring components

More Security Advisories
Product Capabilities
Resources
Why CloudBees
© 2023 CloudBees, Inc., CloudBees® and the Infinity logo® are registered trademarks of CloudBees, Inc. in the United States and may be registered in other countries. Other products or brand names may be trademarks or registered trademarks of CloudBees, Inc. or their respective holders.
Privacy PolicyTerms of ServiceCloudBees Vulnerability Reporting