Last Updated: 4/15/2022
Due to the amount of media coverage, some customers have started asking if our products are vulnerable to the various recent Spring vulnerabilities announced. More specifically, CVE-2022-22965 which is a critical severity RCE vulnerability in Spring (CVSS 9.8), a popular open-source framework for Java applications. The issue is also known as “Spring4Shell” or “SpringShell”.
- While general availability/extended support ArcGIS Enterprise and ArcGIS Online utilize the Spring Framework, they are not vulnerable to CVE-2022-22965 or CVE-2022-22968, as these products do not utilize Spring MVC or Spring Webflux.
- The presence of the Spring Framework (filename spring-core) is not enough to make an application vulnerable according to the developers of the component.
Based on the above, no security patches are planned for our commercial products and services for these issues.
- Esri Software Security & Privacy
Announcement Update History
- 4/15/22 – Addition of CVE-2022-22968 & confirm no patches necessary.
- 4/4/22 – Enterprise and Online clarifications added.
- 3/31/22 – Initial announcement release