Spring Framework RCE via Data Binding on JDK 9+ Vulnerability (CVE-2022-22965)
CloudBees is aware of the recently disclosed Spring Framework RCE via Data Binding on JDK 9+ vulnerability (CVE-2022-22965). We are currently investigating any impact of this vulnerability on our products and systems.
To the best of our knowledge, the following CloudBees products are not impacted by the vulnerability:
CloudBees Jenkins Platform
CloudBees Feature Management
Customer Success Services
CloudBees Build Acceleration
Note: The vulnerability can only be exploited with a combination of components. Some CloudBees products do have Spring Framework jars bundled, such as spring-beans. Our investigation shows that none of the products are using spring-webmvc or spring-webflux, making it impossible for the security vulnerability to be exploited as described in CVE-2022-22965.
We are continuing to investigate any impact to these products and systems:
We will keep this page updated with our findings.
2022-03-30 - Initial statement
2022-03-31 - (1) CVE disclosed; Added list of non-impacted products
2022-03-31 - (2) CloudBees CI and CloudBees Jenkins Platform added to list of non-impacted products; Identified products under investigation
2022-03-31 - (3) CloudBees CD/RO added to list of non-impacted products
20222-04-01 - Added note about Spring components