Community Spring Cleaning week is here! Join your fellow Maveryx in digging through your old posts and marking comments on them as solved. Learn more here!

Analytics

News, events, thought leadership and more.
MattH
Alteryx
Alteryx

What Is Spring4Shell - CVE-2022-22965

CVE-2022-22965 or Spring4Shell is a vulnerability found in the Spring Framework running on Java Development Kit 9, allowing for potential data leaks and remote code execution in vulnerable applications.  Spring is an open source lightweight Java platform development framework used to create high-quality, easily testable code and is currently owned by VMWare.

 

Products Confirmed As Not Impacted

  • Designer
  • Designer Cloud
  • Intelligence Suite
  • Lore IO
  • Machine Learning
  • Promote
  • Public Gallery
  • Server/Gallery
  • Third Party Software

 

Products Confirmed As Patched

  • Trifacta – Patch applied
  • Trifacta Cloud – Patch applied
  • Hyper Anna – Patch applied
  • Hyper Anna Cloud – Patch applied

While both products were found to be unaffected, we have applied suggested patches from Spring.

 

Products Impacted

  • Connect

All versions of Connect have vulnerable dependencies and we recommend updating the Apache Tomcat Server included in the install.  Step by step instructions for accomplishing this are available here.  If you require further assistance, please contact Customer Support.

 

Alteryx will also be providing fixed versions of Connect for currently supported versions as they become available.  The current supported versions of Connect are:

 

Version

Release Date

End of Support

2021.4

2/2/2022

8/2/2023

2021.3

8/11/2021

2/11/2023

2021.2

5/17/2021

11/17/2022

2021.1

2/10/2021

8/10/2022

2020.4

11/18/2020

5/18/2022

 

Comments
bekzclz11
5 - Atom

On March 29, 2022, a security researcher with the handle p1n93r disclosed a Spring Framework remote code execution (RCE) vulnerability, which was archived by vx-underground This vulnerability, known as Spring4Shell, affects applications that use JDK v9 or above that run Apache Tomcat as the Servlet Container in a WAR package and use dependencies of the spring-webmvc or spring-webflux from the Spring Framework. This vulnerability is being tracked under cve 2022-22965

Note that due to the generality of the vulnerability, there could be other ways to exploit it.