Spring Framework Denial of Service (DoS) Data Binding Vulnerability - CVE-2022-22950, CVE-2022-22970 and CVE-2022-22971 in DLP
search cancel

Spring Framework Denial of Service (DoS) Data Binding Vulnerability - CVE-2022-22950, CVE-2022-22970 and CVE-2022-22971 in DLP

book

Article ID: 244018

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention

Issue/Introduction

DLP is not vulnerable to CVE-22950, CVE-2022-22970 or CVE-2022-22971. 

These issues do not impact DLP:

CVE-2022-22950 Spring DoS vulnerability DLP does not use Spring Expression language and is not vulnerable.
CVE-2022-22970 Spring framework DoS via data binding to MultipartFile or Servlet Part DLP does not allow untrusted file uploads and is not impacted.
CVE-2022-22971 Spring Framework DoS with STOMP over WebSocket

DLP does not use WebSocket protocol and is not impacted.

 

 

 

Environment

Release: 15.7/15.8/16.0/16.0.1

Component:  DLP Enforce

Resolution

DLP is not vulnerable, no action required.

 

 

Additional Information

A feature request has been submitted to update the files in question to resolve any false positives.

The files were updated on DLP 16.0.2 (RU2) and this version doesn't have the false positives. Same for DLP 16.1.