Update on the recent vulnerabilities in Spring framework and the impact on ManageEngine on-premise products
A critical vulnerability in the Spring framework (CVE-2022-22965) affecting Spring MVC and Spring WebFlux applications running on JDK 9+ was disclosed publicly on March 31, 2022. The details of this vulnerability is documented by VMWare/Spring here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
The below list of ManageEngine on-premise products do not use or bundle Spring library, thus not impacted by CVE-2022-22965:
- ADAudit Plus
- ADManager Plus
- Application Control Plus
- Applications Manager
- Asset Explorer
- Browser Security Plus
- Cloud Security Plus
- Data Security Plus
- Desktop Central
- Desktop Central MSP
- Device Control Plus
- Endpoint DLP Plus
- Exchange Reporter Plus
- Firewall Analyzer
- Key Manager Plus
- Log360 UEBA
- M365 Manager Plus
- M365 Security Plus
- Mobile Device Manager Plus
- Mobile Device Manager Plus MSP
- NetFlow Analyzer
- Network Configurations Manager
- OpManager
- OpUtils
- OS Deployer
- PAM360
- Password Manager Pro
- Patch Connect Plus
- Patch Manager Plus
- Recovery Manager Plus
- Remote Access Plus
- RMM Central
- Secure Gateway Server
- ServiceDesk Plus
- ServiceDesk Plus MSP
- SharePoint Manager Plus
- SupportCenter Plus
- Vulnerability Manager Plus
The below list of ManageEngine on-premise products include Spring framework libraries, but use JDK8, thus not impacted by CVE-2022-22965:
- Access Manager Plus
- AD360
- ADSelf Service Plus
- Eventlog Analyzer
- Log360
NOTE: There is a report of another critical vulnerability in the Spring Cloud Function (CVE-2022-22963) which is not used by any ManageEngine on-premise products, thus not impacted by the vulnerability.
We will update this advisory if any new information becomes available.
For any additional details or assistance, please contact security@manageengine.com.