Objectif Lune joins Upland Software.Learn more >
Philippe Fontan
April 5th, 2022
Version française
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding
Objectif Lune has run an audit of its own software products to determine if they are vulnerable to this attack. We are pleased to report that none of our current or legacy products are exposed to the attack.
More specifically:
Note that some auditing applications may still report OL Connect as a false positive for this vulnerability because the version of the Spring Framework used in OL Connect is listed as potentially vulnerable, even though the modules concerned are unused.
Updating the Spring Framework in OL Connect would require a fair amount of retesting that would have a significant impact on the upcoming release of OL Connect 2022.1, which is currently in pre-release mode. We have therefore elected to go ahead with the release as planned and we will start working immediately on eliminating those false positive reports in the following release, 2022.2.
Tagged in: CVE-2022-22965, Spring MVC, Spring WebFlux, Vulnerability
Receive exclusive OL products news, tips and resources.
Your email address will not be published. Required fields are marked *
Notify me of followup comments via e-mail. You can also subscribe without commenting.
Δ