Spring Framework (CVE-2022-22965)?

Could you please confirm that NewRelic platform are not affected by Spring framework (CVE-2022-22965)?

NewRelicのプラットフォームがSpring framework Issue(CVE-2022-22965)の影響を受けていないことを確認できますか?

Thank you for contacting New Relic about the “Spring4Shell” vulnerability (CVE-2022-22965). Our Security Team is investigating this as their top priority and we will follow up with you as soon as we have more information.

Keeping customer data secure is New Relic’s top priority; we have a well-established security program that includes vulnerability management components that continuously scan and monitor our applications and systems for new vulnerabilities. The vulnerability management program is reviewed annually as part of our SOC2 certification, and we are happy to share our latest SOC2 report as well as further details of our program under NDA.

1 Like

Hello @tkkym -

New Relic has initiated activities through its Vulnerability Management program (Security policy | New Relic Documentation) to proactively monitor and defend against potential issues related to CVE-2022-22965 (CVE-2022-22965 | Security | VMware Tanzu), “Spring4Shell (Spring Framework RCE, Early Announcement),” which was publicly reported on March 31st, 2022. New Relic is urgently investigating implications across our internal and production environments and will take actions as needed.

At this moment customers using New Relic products do not need to take any direct action related to New Relic software for this specific CVE. However, as New Relic continues to evaluate actions regarding upgraded Spring packages (Spring Framework RCE, Early Announcement), we anticipate that this may require some New Relic products to be updated by customers. If and when this happens, New Relic will release guidance on our Security bulletins | New Relic Documentation page.

To get security notifications from New Relic in the future, please subscribe to New Relic’s Security notifications community channel or RSS feed (Security bulletins | New Relic Documentation) and New Relic’s https://newrelic.com/blog. Please monitor closely.

Keeping customers secure is always our top priority. As a reminder, we recommend our customers adopt secure internet and application practices. For more information, please visit Security and privacy | New Relic Documentation. If you have any questions, please let us know by (https://support.newrelic.com)filing a support case through the In-Product Support experience of the platform by clicking on the Documentation and Support link and selecting “I need more help” or visit https://support.newrelic.com.

1 Like