New Relic has initiated activities through its Vulnerability Management program (Security policy | New Relic Documentation) to proactively monitor and defend against potential issues related to CVE-2022-22965 (CVE-2022-22965 | Security | VMware Tanzu), “Spring4Shell (Spring Framework RCE, Early Announcement),” which was publicly reported on March 31st, 2022. New Relic is urgently investigating implications across our internal and production environments and will take actions as needed.
At this moment customers using New Relic products do not need to take any direct action related to New Relic software for this specific CVE. However, as New Relic continues to evaluate actions regarding upgraded Spring packages (Spring Framework RCE, Early Announcement), we anticipate that this may require some New Relic products to be updated by customers. If and when this happens, New Relic will release guidance on our Security bulletins | New Relic Documentation page.
To get security notifications from New Relic in the future, please subscribe to New Relic’s Security notifications community channel or RSS feed (Security bulletins | New Relic Documentation) and New Relic’s https://newrelic.com/blog. Please monitor closely.
Keeping customers secure is always our top priority. As a reminder, we recommend our customers adopt secure internet and application practices. For more information, please visit Security and privacy | New Relic Documentation. If you have any questions, please let us know by (https://support.newrelic.com)filing a support case through the In-Product Support experience of the platform by clicking on the Documentation and Support link and selecting “I need more help” or visit https://support.newrelic.com.