Spring Framework Denial of Service (DoS) Data Binding Vulnerability - CVE-2022-22970 and CVE-2022-22971 in DLP
search cancel

Spring Framework Denial of Service (DoS) Data Binding Vulnerability - CVE-2022-22970 and CVE-2022-22971 in DLP

book

Article ID: 244018

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention

Issue/Introduction

DLP is not vulnerable to CVE-22950, CVE-2022-22970 or CVE-2022-22971. 

These issues do not impact DLP:

CVE-2022-22950 Spring DoS vulnerability DLP does not use Spring Expression language and is not vulnerable.
CVE-2022-22970 Spring framework DoS via data binding to MultipartFile or Servlet Part DLP does not allow untrusted file uploads and is not impacted.
CVE-2022-22971 Spring Framework DoS with STOMP over WebSocket

DLP does not use WebSocket protocol and is not impacted.

 

 

 

Environment

Release: 15.7/15.8/16.0/16.0.1

Component:  DLP Enforce

Resolution

DLP is not vulnerable, no action required.

 

 

Additional Information

A feature request has been submitted to update the files in question to resolve any false positives.
 
To be added to the feature request please open a support case with Broadcom and reference this KB.