CVE-2022-22965 "Spring4Shell" Vulnerability
Incident Report for Squiz
Resolved
This incident has been resolved.
Posted Aug 05, 2022 - 10:25 AEST
Identified
Dear Squiz Customers,
Squiz has been made aware of CVE-2022-22965, a vulnerability in the Spring Framework that is used in Java versions 9 and above. Java Version 9 and above is used in Funnelback versions 15.20 and above.

Our Security, Product and Platform teams have reviewed the specific CVE and exploitation method, and have determined that Funnelback is currently not vulnerable; the exploit is dependent on the Tomcat application server, which is not used in the Funnelback application as deployed by Squiz. However this may change as further investigations are carried out by the Spring team. Matrix does not use Java and is not affected.

As part of our security response, Squiz is currently developing network level mitigations for the known exploit path, which we will deploy to all Funnelback and Squiz hosted systems as soon as it is tested and passes review. Squiz will also provide details of those mitigation to customers who self host Funnelback solutions if requested. The Funnelback product team will also investigate product updates for affected Funnelback versions.

Squiz will continue to monitor developments for CVE-2022-22965, and if you have any additional questions please don’t hesitate to get in touch with Squiz via email to support@squiz.net
Posted Apr 01, 2022 - 13:14 AEDT
This incident affected: Squiz Cloud Hosted Instances.