Spring Framework RCE Vulnerability
Is dSPACE software affected by the Spring Framework RCE vulnerabilities?
We are getting requests from our customers who are concerned about the so-called Spring Framework RCE vulnerabilities.
The security vulnerabilities are related to Spring Framework, a Java-based open source programming and configuration model for modern enterprise applications running in different environments.
Based on our software dependency analysis, dSPACE products are not affected by the below listed vulnerabilities, since dSPACE Software is not using any component of the Spring framework. This analysis result also applies to the third-party components installed with our software.
| CVE Dictionary Entry | Description and assessment |
|---|---|
| CVE-2022-22965 | A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. dSPACE is not affected, since Spring Framework is not used in any dSPACE software. |
| CVE-2022-22963 | In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. dSPACE is not affected, since Spring Framework is not used in any dSPACE software. |
| CVE-2022-22950 | In Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. dSPACE is not affected, since Spring Framework is not used in any dSPACE software. |
| Date | 2022-04-06 |
| Information Type | Notifications |
| Information Category | Product Security, Troubleshooting |
| dSPACE Release | 2021-B, 2021-A, 2020-B, 2020-A, 2019-B, 2019-A, 2018-B, 2018-A, 2017-B , 2017-A, 2016-B, 2016-A, 2015-B, 2015-A, 2014-B, 2014-A, 2013-B, 2013-A, Prior to 2013-A |
Drive innovation forward. Always on the pulse of technology development.
Subscribe to our expert knowledge. Learn from our successful project examples. Keep up to date on simulation and validation. Subscribe to/manage dSPACE direct and aerospace & defense now.