A vulnerability exists in Spring Core, part of the Spring Framework, which can be exploited for Remote Code Execution (RCE). The vulnerability has been named Spring4Shell and its tracking number is CVE-2022-22965.

A second vulnerability is reported at the same time, with CVE-2022-22963. This is a remote code execution vulnerability in Spring Cloud Function.

Spring4Shell (CVE-2022-22965) and CVE-2022-22963 are two separate vulnerabilities.

Are Control-M SaaS products affected by these vulnerabilities?

Last updated: April 4, 2022.
 

CVE-2022-22965 (Spring4Shell)

The following products have been found to contain the Spring4Shell (CVE-2022-22965) vulnerability:

- Control-M SaaS plugins for: Hadoop, Informatica, AWS, Azure and Application Integrator
An Application Pack patch 9.0.20.281 is available to be installed on top of Control-M/Agent 9.0.20.280. 
This patch contains a fix for defect: CTM-6693 which upgrades Spring-core framework to 5.2.20 release.
  


All supported versions of the following products are not impacted by the Spring4Shell (CVE-2022-22965) vulnerability:
- Control-M SaaS Platform
- Control-M SaaS Agent
- Control-M SaaS for SAP
- Control-M SaaS Managed File Transfer

 

CVE-2022-22963

All supported versions of Control-M SaaS products are not impacted by the CVE-2022-22963 vulnerability.