SAS Statement Regarding SpringShell and Associated Vulnerabilities

Reference Name:  SpringShell and Associated Vulnerabilities 
Severity: See details below
Status: See details below

History

Note: For each update listed in the History section and elsewhere in the bulletin, new or updated text is rendered in a darker color. The marks indicate changes from only the immediately preceding version of the bulletin.

• 4-11-2022 – Revised the issue severities and updated the investigation statuses
• 4-8-2022 – Added SAS® Viya® 3.3 to the analyses for both vulnerabilities; added SAS® 9.2 and SAS® 9.3 to the analysis for CVE-2022-22963 
• 4-7-2022 – Updated analyses for CVE-2022-22963 and CVE-2022-22965; removed CVE-2022-22950 from the bulletin (which is focused on critical vulnerabilities) 
• 4-6-2022 – Added analyses for SAS® Customer Intelligence 360
• 4-4-2022 – Revised bulletin name; updated vulnerability links to reference National Vulnerability Database (NVD) entries; updated analyses based on ongoing investigations
• 4-1-2022 – Initial statement

Impact, Severity, and Description

SAS^® is aware of and investigating the following Spring vulnerabilities:

Identifier	Description	Details	Severity	Status
CVE-2022-22963	Remote code execution in Spring Cloud Function by malicious Spring expression	Spring blog	Informational	Investigation complete
CVE-2022-22965	Spring Framework remote code execution via data binding on Java Development Kit (JDK) 9+	Spring blog	Informational	Investigation complete

 

CVE-2022-22963: Analysis

SAS has evaluated that the following software is not impacted, because it does not have a dependency on the spring-cloud-function-context library.

• SAS® Viya® 2020.1 and later
• SAS® Viya® 3.3, SAS® Viya® 3.4, and SAS® Viya® 3.5
• SAS® 9.4
• SAS® 9.3
• SAS® 9.2

SAS has evaluated that SAS® Customer Intelligence 360 is also not affected, because it does not have a dependency on the the spring-cloud-function-context library. This assessment covers both hosted functionality and on-premises agents.

No customer action is recommended at this time to address this specific vulnerability.

As always, SAS recommends that you keep SAS deployments up to date. The current version of the SAS®9 platform is SAS® 9.4M7 (TS1M7). Instructions for upgrading are available.

CVE-2022-22965: Analysis

SAS has evaluated that the following software is not impacted, because it uses the default functionality within Spring to provide services as executable JAR files, not as WAR files, on Apache Tomcat.

• SAS Viya 2020.1 and later
• SAS Viya 3.4 and SAS Viya 3.5

SAS has evaluated that SAS 9.2, SAS 9.3, SAS 9.4, and SAS Viya 3.3 are not affected, because they do not use JDK 9 (or later).

SAS has evaluated that SAS Customer Intelligence 360 is also not affected, because it uses the default functionality within Spring to provide services as executable JAR files, not as WAR files, on Apache Tomcat. This assessment covers both hosted functionality and on-premises agents.

No customer action is recommended at this time to address this specific vulnerability.

As always, SAS recommends that you keep SAS deployments up to date. The current version of the SAS®9 platform is SAS 9.4M7 (TS1M7). Instructions for upgrading are available.

 

SAS® Cloud Solutions

SAS Cloud and SAS Information Services are aware of the CVEs that are listed in this bulletin and are actively working to ensure that protection capabilities are up to date. SAS will continue to adjust these controls as vendors update their signatures and as public detection methods continue to mature.

SAS will continue to update this bulletin as additional information becomes available.