A vulnerability exists in Spring Core, part of the Spring Framework, which can be exploited for Remote Code Execution (RCE). The vulnerability has been named Spring4Shell and its tracking number is CVE-2022-22965.

A second vulnerability is reported at the same time, with CVE-2022-22963. This is a remote code execution vulnerability in Spring Cloud Function.

Spring4Shell (CVE-2022-22965) and CVE-2022-22963 are two separate vulnerabilities.

Is Helix Control-M products affected by these vulnerabilities?

Last updated: April 4, 2022.
 

CVE-2022-22965 (Spring4Shell)

The following products have been found to contain the Spring4Shell (CVE-2022-22965) vulnerability:

- Helix Control-M plugins for: Hadoop, Informatica, AWS, Azure and Application Integrator
An Application Pack patch 9.0.20.281 is available to be installed on top of Control-M/Agent 9.0.20.280. 
This patch contains a fix for defect: CTM-6693 which upgrades Spring-core framework to 5.2.20 release.
  


All supported versions of the following products are not impacted by the Spring4Shell (CVE-2022-22965) vulnerability:
- Helix Control-M Platform
- Helix Control-M Agent
- Helix Control-M SAP
- Helix Control-M Managed File Transfer

 

CVE-2022-22963

All supported versions of all Helix Control-M products are not impacted by the CVE-2022-22963 vulnerability.