Spring remote code execution vulnerabilities (CVE-2022-22963, CVE-2022-22965) does not affect IMiS ARChive servers
Critical vulnerabilities which allows remote code execution were recently discovered in Spring framework.
IMiS ARChive servers are not affected because they do not use Spring framework.
Two critical vulnerabilities, CVE-2022-22963 and CVE-2022-22965 were recently discovered in Spring framework,
which allows an unauthenticated attacker to execute arbitrary code on the target system.
Vulnerability allows an attacker to execute arbitrary code on server-side by using Sprint expression language (SpEL) in
Spring Cloud Function via unvalidated HTTP header.
Vulnerability allows an attacker to send a malicious request to Spring Core (Spring MVC and Spring WebFlux), bypassing
CVE-2010-1622 to gain restricted functionality within JVM.
Spring framework is not used by IMiS ARChive servers and therefore they are not affected by CVE-2022-22963 and CVE-2022-22965.
Copyright © Imaging Systems Ltd, 2022