April 3, 2022

Okta's Response to CVE-2022-22965 ("Spring4Shell")

Steve Ripaldi

Last Updated: 3/4/2022 1.30pm Pacific Time

Three critical vulnerabilities have been identified affecting the Java Spring Framework and related software components - with one specific CVE being known as Spring4Shell/SpringShell (CVE-2022-22965).

CVE-2022-22965: Within Spring Core, A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.

Okta Security has triaged the Spring4Shell vulnerability, and determined Okta is not impacted by CVE-2022-22965.

Okta's core service is not impacted.
Okta Workflows is not impacted.
Okta Access Gateway and Okta Agents are not impacted.
Auth0 is not impacted
AtSpoke is not impacted.

Two other related Critical CVEs in Spring have been published:

CVE-2022-22963 - Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions may be vulnerable to remote code execution and access to local resources.
- Okta is not impacted by this vulnerability as Okta does not implement the spring-cloud-function in its code base.
- Auth0 is not impacted.
- AtSpoke is not impacted.
CVE-2022-22947 - Using Spring Cloud Gateway versions prior to 3.1.1+ and 3.0.7+ , applications may allow arbitrary remote execution on the remote host.
- Okta is not impacted by this vulnerability. Okta does not enable nor expose the Gateway Actuator Endpoint.
- Auth0 is not impacted.
- AtSpoke is not impacted.

While Okta is not vulnerable to the critical vulnerabilities outlined above, we will nonetheless update the Spring Framework to the latest releases during our next release cycle.

References:

Steve Ripaldi leads the Okta Product and Infrastructure Security teams at Okta.