Spring Framework Denial of Service (DoS) Data Binding Vulnerability - CVE-2022-22970 and CVE-2022-22971 in DLP
Article ID: 244018
Updated On:
Products
Data Loss Prevention Endpoint Prevent
Data Loss Prevention
Issue/Introduction
DLP is not vulnerable to CVE-22950, CVE-2022-22970 or CVE-2022-22971.
These issues do not impact DLP:
| CVE-2022-22950 | Spring DoS vulnerability | DLP does not use Spring Expression language and is not vulnerable. |
| CVE-2022-22970 | Spring framework DoS via data binding to MultipartFile or Servlet Part | DLP does not allow untrusted file uploads and is not impacted. |
| CVE-2022-22971 | Spring Framework DoS with STOMP over WebSocket |
DLP does not use WebSocket protocol and is not impacted. |
Environment
Release: 15.7/15.8/16.0/16.0.1
Component: DLP Enforce
Resolution
DLP is not vulnerable, no action required.
Additional Information
A feature request has been submitted to update the files in question to resolve any false positives.
To be added to the feature request please open a support case with Broadcom and reference this KB.
Feedback
Yes
No
Powered by
