Update on the recent vulnerabilities in Spring framework and the impact on ManageEngine on-premise products

Update on the recent vulnerabilities in Spring framework and the impact on ManageEngine on-premise products

A critical vulnerability in the Spring framework (CVE-2022-22965) affecting Spring MVC and Spring WebFlux applications running on JDK 9+ was disclosed publicly on March 31, 2022. The details of this vulnerability is documented by VMWare/Spring here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
 
The below list of ManageEngine on-premise products do not use or bundle Spring library, thus not impacted by CVE-2022-22965:
 
  • ADAudit Plus
  • ADManager Plus
  • Application Control Plus
  • Applications Manager
  • Asset Explorer
  • Browser Security Plus
  • Cloud Security Plus
  • Data Security Plus
  • Desktop Central
  • Desktop Central MSP
  • Device Control Plus
  • Endpoint DLP Plus
  • Exchange Reporter Plus
  • Firewall Analyzer
  • Key Manager Plus
  • Log360 UEBA
  • M365 Manager Plus
  • M365 Security Plus
  • Mobile Device Manager Plus
  • Mobile Device Manager Plus MSP
  • NetFlow Analyzer
  • Network Configurations Manager
  • OpManager
  • OpUtils
  • OS Deployer
  • PAM360
  • Password Manager Pro
  • Patch Connect Plus
  • Patch Manager Plus
  • Recovery Manager Plus
  • Remote Access Plus
  • RMM Central
  • Secure Gateway Server
  • ServiceDesk Plus
  • ServiceDesk Plus MSP
  • SharePoint Manager Plus
  • SupportCenter Plus
  • Vulnerability Manager Plus
 
The below list of ManageEngine on-premise products include Spring framework libraries, but use JDK8, thus not impacted by CVE-2022-22965:
 
  • Access Manager Plus
  • AD360
  • ADSelf Service Plus
  • Eventlog Analyzer
  • Log360
 
NOTE: There is a report of another critical vulnerability in the Spring Cloud Function (CVE-2022-22963) which is not used by any ManageEngine on-premise products, thus not impacted by the vulnerability.
 
 
We will update this advisory if any new information becomes available.
 
For any additional details or assistance, please contact security@manageengine.com.


                  New to ADSelfService Plus?