KB-2209 Information about the Spring4Shell security vulnerability (CVE-2022-22965)

On 31-Mar-2021 an announcement was made regarding the Spring4Shell security vulnerability (CVE-2022-22965). Following the announcement, Appian actively investigated whether the impacted library is being used on the Appian platform. Appian has taken the following actions in response:

Appian is continuously conducting active security monitoring of Appian Cloud and is not aware of any breach or indicators of compromise related to this vulnerability, whether internal or external.
The Appian platform currently uses affected versions of Spring. It also uses Tomcat 8 and 9, however, Appian does not believe the platform is vulnerable due to usage of strict json annotations for user-supplied data where Tomcat 9 is used.
Despite our current assessment that we are not vulnerable, Appian has published a hotfix on 08-Apr-2022 to upgrade the platform to use Spring 5.3.18.

Additional Notes:

The Spring Framework is a Java framework that offers infrastructure support to develop web applications.
The maintainers of Spring Framework have released an emergency patch to address a newly disclosed remote code execution flaw that, if successfully exploited, could allow an unauthenticated attacker to take control of a targeted system.
Tracked as CVE-2022-22965, this high-severity flaw impacts Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and other older, unsupported versions. Users are recommended to upgrade to versions 5.3.18 or later and 5.2.20 or later.
During the same timeline, another Spring vulnerability was announced that we wanted to provide clarification on: RCE in Spring Cloud Function - CVE-2022-22963. Appian is not affected by this vulnerability as we do not utilize this.

Supporting Documentation:

Timeline:

31-Mar-2022 - CVE-2022-22965 released
08-Apr-2022 - Hotfix from Appian released

Affected Versions

This article applies to all supported versions of Appian.

Last Reviewed: April 8, 2022