Spring Framework Denial of Service (DoS) Data Binding Vulnerability - CVE-2022-22950, CVE-2022-22970 and CVE-2022-22971 in DLP
Article ID: 244018
Updated On:
Products
Data Loss Prevention Endpoint Prevent
Data Loss Prevention
Issue/Introduction
DLP is not vulnerable to CVE-22950, CVE-2022-22970 or CVE-2022-22971.
These issues do not impact DLP:
| CVE-2022-22950 | Spring DoS vulnerability | DLP does not use Spring Expression language and is not vulnerable. |
| CVE-2022-22970 | Spring framework DoS via data binding to MultipartFile or Servlet Part | DLP does not allow untrusted file uploads and is not impacted. |
| CVE-2022-22971 | Spring Framework DoS with STOMP over WebSocket |
DLP does not use WebSocket protocol and is not impacted. |
Environment
Release: 15.7/15.8/16.0/16.0.1
Component: DLP Enforce
Resolution
DLP is not vulnerable, no action required.
Additional Information
A feature request has been submitted to update the files in question to resolve any false positives.
The files were updated on DLP 16.0.2 (RU2) and this version doesn't have the false positives. Same for DLP 16.1.
Feedback
Yes
No
Powered by
