ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Are Symantec Encryption Products Affected by the Spring Framework CVE-2022-22965?

book

Article ID: 238645

calendar_today

Updated On:

Products

Endpoint Encryption Desktop Email Encryption Encryption Management Server Drive Encryption File Share Encryption

Issue/Introduction

You would like to determine whether Symantec Encryption family products are susceptible to CVE-2022-22965.

Symantec is investigating CVE-2022-22965, aka Spring4Shell, which is an RCE vulnerability in the Spring Framework. When exploited, the vulnerability allows an unauthenticated attacker to execute arbitrary code on the target system.

Cause

According to a vulnerability report released by VMware on March 31, 2022, a Spring Framework application running on Java Development Kit version 9 or later may be vulnerable to remote code execution attacks and follow-on exploitation under certain conditions. This vulnerability has been assigned CVE-2022-22965 and is known as “Spring4Shell.”

Resolution

We have confirmed that the Encryption products are not affected by the Spring4Shell vulnerability CVE-2022-22965. For more information, please refer to SA 20427.