Update on Spring4Shell Vulnerability

A vulnerability, referred to as Spring4Shell, was identified that impacts Spring MVC and Spring WebFlux applications running on JDK 9+(CVE-2022-22965). The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Our engineering teams are conducting a complete assessment, and to-date have found no evidence of any compromise on insightsoftware servers.

The following insightsoftware SaaS solutions were determined to be potentially vulnerable to CVE-2022-22965 and we are actively working on remediation. Any insightsoftware SaaS solutions not listed here are not vulnerable:

• IDL
• Magnitude Angles for SAP (via a 3rd party library)
• Magnitude Kalido (via a 3rd party library)
• Tidemark

The following insightsoftware on-premises products that are used within customers’ networks were determined to be potentially vulnerable to CVE-2022-22965. Any insightsoftware on-premises products not listed here are not vulnerable.

• IDL
• Intellicast
• Magnitude Angles for SAP

For information regarding mitigation and available patches for insightsoftware products, please find links to relevant product support portals at the top of this page.

For information regarding mitigation and available patches for Magnitude Software, an insightsoftware company, products, please visit https://www.magnitude.com/support.

insightsoftware continues to monitor this developing situation and will provide updates via the support pages.