Spring Framework Security Concerns Answered

At the end of March 2022, VMWare, Inc., announced two security flaws related to their Spring Framework, causing some concern and questions for several uAchieve clients:

CVE-2022-22963 is specific to the Spring Cloud Function library. None of the uAchieve applications use this library, therefore uAchieve is not vulnerable to this security flaw and no action is required by our clients to mitigate.

CVE-2022-22965 results from a flaw in the Spring MVC and Spring WebFlux libraries. Spring MVC is used by uAchieve applications and therefore clients are potentially exposed. However, the security flaw is only present when Spring MVC is run with Java 9 or higher. uAchieve is only supported with Java 8, so our clients running uAchieve should NOT be exposed. To be sure your systems are not vulnerable, make sure you are running uAchieve with Java 8 and update to Tomcat to the 8, 9, or 10 release.

More details about the impact of this CVE on uAchieve and steps that can be taken to harden your environment are available in our security alert.

We will update the alert should more details be made available by Spring or others in the community.