A critical remote code execution vulnerability within the Spring Framework was recently reported on April 1, 2022. This vulnerability is designated by NVD as CVE-2022-22965 / CVE-2022-22963 with a high severity rating of 9.8. The vulnerability is also known as Spring4Shell by security researchers. If exploited, this vulnerability allows adversaries to potentially take full control of the impacted system. 

In response to becoming aware of this vulnerability, Basware immediately mobilized its Security and Engineering organizations to investigate as part of our Security Vulnerability Management Process. 

 

Cloud Services / On-Premise Products / Client Utilities

Basware has continued with the investigation in regards to the Spring4Shell Vulnerability and have determined it is NOT applicable in any of our direct cloud services or on-premise products or client utilities. 

We are actively working with our third-party vendors to understand any exposure to this vulnerability and if impacted will ensure that they have mitigations in place and are updating their software or services to remediate this issue.

As a result of our current assessment we have reverted to standard operating procedure and we will continue to perform further assessments and as this issue continues to evolve.