Another Java vulnerability identified

It appears there is another Java vulnerability identified, this time in the Spring4shell library. Can you confirm the status of this for your organisation and the services we use in terms of potential impact and remediation steps taken or to take place?

I provide some additional information as provided by our security team below.

https://www.bleepingcomputer.com/news/security/new-spring-java-framework-zero-day-allows-remote-code-execution/

https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/validation/DataBinder.html

1 Like

Thank you for contacting New Relic about the “Spring4Shell” vulnerability (CVE-2022-22965). Our Security Team is investigating this as their top priority and we will follow up with you as soon as we have more information.

Keeping customer data secure is New Relic’s top priority; we have a well-established security program that includes vulnerability management components that continuously scan and monitor our applications and systems for new vulnerabilities. The vulnerability management program is reviewed annually as part of our SOC2 certification, and we are happy to share our latest SOC2 report as well as further details of our program under NDA.

2 Likes

Hello @grayat:

New Relic has initiated activities through its Vulnerability Management program (Security policy | New Relic Documentation) to proactively monitor and defend against potential issues related to CVE-2022-22965 (CVE-2022-22965 | Security | VMware Tanzu), “Spring4Shell (Spring Framework RCE, Early Announcement),” which was publicly reported on March 31st, 2022. New Relic is urgently investigating implications across our internal and production environments and will take actions as needed.

At this moment customers using New Relic products do not need to take any direct action related to New Relic software for this specific CVE. However, as New Relic continues to evaluate actions regarding upgraded Spring packages (Spring Framework RCE, Early Announcement), we anticipate that this may require some New Relic products to be updated by customers. If and when this happens, New Relic will release guidance on our Security bulletins | New Relic Documentation page.

To get security notifications from New Relic in the future, please subscribe to New Relic’s Security notifications community channel or RSS feed (Security bulletins | New Relic Documentation) and New Relic’s https://newrelic.com/blog. Please monitor closely.

Keeping customers secure is always our top priority. As a reminder, we recommend our customers adopt secure internet and application practices. For more information, please visit Security and privacy | New Relic Documentation. If you have any questions, please let us know by (https://support.newrelic.com)filing a support case through the In-Product Support experience of the platform by clicking on the Documentation and Support link and selecting “I need more help” or visit https://support.newrelic.com.

Dear @grayat1,

New Relic has completed its investigation of Spring Cloud vulnerabilities CVE-2022-22963 and CVE-2022-22947 and determined that no distributed New Relic software was impacted by this vulnerability. Customers using New Relic products do not need to take any direct action related to New Relic software for these specific CVEs.To receive security notifications from New Relic in the future, please subscribe to New Relic’s Security notifications community channel or RSS feed and New Relic’s blog.Keeping customers secure is always our top priority. As a reminder, we recommend our customers adopt secure internet and application practices. For more information, please visit Security and privacy | New Relic Documentation. If you have any questions, please let us know by filing a support case through the In-Product Support experience of the platform by clicking on the Documentation and Support link and selecting “I need more help” or visiting https://support.newrelic.com.

1 Like