Public Notice

Spring Framework Vulnerability Update

31 March 2022

The TIBCO Security team is aware of the recently announced Java Spring Framework vulnerabilities (CVE-2022-22963, CVE-2022-22965), with one of them being referred to as “Spring4Shell”. These vulnerabilities potentially enable an attacker to execute arbitrary code by taking advantage of poor data bindings and/or malicious expression language statements. 

TIBCO is also aware of CVE-2022-22950, and this issue is under investigation as part of our response to CVE-2022-22963 and CVE-2022-22965. 

TIBCO’s Security team is actively monitoring the still evolving situation and updates with regards to the Java Spring Framework and our Product Security Incident Response Team (PSIRT) is actively evaluating how this vulnerability may affect TIBCO products and cloud services.

We will provide updates as more information becomes available and we complete our investigation. This information will include which TIBCO products and services are affected and how customers and users of those products and services can best mitigate or protect themselves from being exploited by this vulnerability.

 

For more information on the vulnerability, please see the following references: