Spring Framework and Spring Cloud Function Remote Code Execution Vulnerabilities: Essent Products Not Affected
Actions to Take
Bring this Support Notice to the attention of your Information Technology department.
Two vulnerabilities were identified in Spring Framework and Spring Cloud Function, a popular framework and tool for building Java-based applications.
Essent Service Impact Analysis
There is no impact to Essent products and services.
Essent has taken action to confirm that Essent products and services do not use public facing Java-based tools or the Spring Framework.
All Essent products and services including Compass™, SiteBuilder™, PunchOutNow™, Direct2Decoration™, and the Essent Commerce Cloud are not affected by these vulnerabilities.
No corrective action is required as it pertains to Essent products and services.
Essent encourages customers using the Spring framework and/or Spring Cloud to perform their own evaluation and prioritize patching of any public Internet-facing service first.
Anyone using the Spring Framework should upgrade to Spring Framework 5.3.18 and 5.2.20. Spring itself also details workarounds for the vulnerabilities
CVE-2022-22963 and CVE-2022-22965,are Remote Code Execution vulnerabilities discovered in late March, 2022.
CVE-2022-22963 "Spring Expression Resource Access Vulnerability”, and CVE-2022-22965, sometimes referred to as "Spring4Shell”, have been patched on or before March 31, 2022.
The Spring blog
details the Shell vulnerabilities and mitigation steps. An extended explanation of the two issues and their affected products
is available from Sophos.