Skip to main content
ExLibris

Knowledge Assistant

BETA
 
Cross-Product

 

Ex Libris Knowledge Center
  1. Search site
    Go back to previous article
    2. Sign in
      • Sign in
      • Forgot password
  1. Home
  2. Cross-Product
  3. Security
  4. Advisories
  5. Security Advisory – Spring4Shell Security vulnerabilities (CVE-2022-22965 and CVE-2022-22963) – April 06, 2022

Security Advisory – Spring4Shell Security vulnerabilities (CVE-2022-22965 and CVE-2022-22963) – April 06, 2022

  1. Last updated
  2. Save as PDF
  3. Share
    1. Share
    2. Tweet
    3. Share
No headers

Overview

On April 01, 2022, two critical remote code execution (RCE) vulnerabilities (CVE-2022-22965 and CVE-2022-22963) were disclosed in Spring frameworks, a comprehensive programming and configuration model for modern Java-based enterprise applications.

The vulnerabilities affected the Spring Core and Spring Cloud Functions.

By exploiting these remote code execution vulnerabilities, it may allow an attacker to bypass access controls, download and subsequently execute a malicious payload.

 

References

  • https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
  • https://nvd.nist.gov/vuln/detail/CVE-2022-22963
  • https://nvd.nist.gov/vuln/detail/CVE-2022-22965

 

Effective Security Severity Level

Critical

 

Affected Systems

Ex Libris product that is affected: Primo.

All other Ex Libris products are not affected by these vulnerabilities.

 

Tests and Certifications

Ex Libris has evaluated all Ex Libris products for potential vulnerabilities and performed certification testing with the available patches and workarounds for all Ex Libris systems and products that are affected. It was determined that the available patches and workarounds can be safely deployed with no impact to Ex Libris systems and products.

 

Actions Taken for Hosted (Cloud) Systems

Ex Libris has deployed a signature fix that protects all cloud environments against these vulnerabilities and no action is required by the customers.

 

Required Actions for On-Premises / Local Systems

For locally installed Primo customers:

Primo on premises customers with Primo versions February 2021 onwards are potentially vulnerable to this threat and are advised to upgrade to the Primo February 2022 version and then follow the instructions [here] in order to upgrade the Tomcat version.

 

Exploitation and Public Announcements

The Ex Libris Security Incident Response Team (SIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory in the context of Ex Libris products.

 

Record of Changes

Type of information Document Data

Document Title:

Security Advisory– Spring4Shell Security vulnerabilities (CVE-2022-22965 and CVE-2022-22963) - April 06, 2022

Document Owner:

Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO)

Approved by:

Barak Rozenblat – VP Cloud Services

Issued:

April 06, 2022

Reviewed & Revised:

April 06, 2022

 

Revision Control

Version Number Nature of Change Date Approved

1.0

Initial version

April 06, 2022

 

Document Distribution and Review

The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated regularly or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver.

View article in the Exlibris Knowledge Center
  1. Back to top
    • Security Advisory – OpenSSL High Vulnerabilities (CVE-2022-3786 and CVE-2022-3602) - November 02, 2022
    • Security Advisory- Polkit Privilege Escalation Vulnerability (CVE-2021-4034) - February 02, 2022
  • Was this article helpful?

Recommended articles

  1. Classifications
    This page has no classifications.
  2. Tags
    This page has no tags.
  1. © Copyright 2025 Ex Libris Knowledge Center
  2. Powered by CXone Expert ®
  • Term of Use
  • Privacy Policy
  • Contact Us
2025 Ex Libris. All rights reserved