petkivim
commented
2 years ago Hi @trungnv0412
Based on the information that's available about the vulnerability currently, X-Road isn't affected by the vulnerability. However, new ways to exploit the vulnerability may still be discovered and we continue to monitor the situation.
Spring Boot is only used in the xroad-proxy-ui-api component that should be accessible by the Security Server administrators from internal network only, not from the public Internet. It means that the potential attack vector is rather limited. Also, the affected part of the Spring Boot code base isn't used by the Security Server.
Nevertheless, we're going to release patch releases 6.26.2 and 7.0.3 within the next couple of weeks.
trungnv0412
Dear @petkivim!
Now, we have Execution Vulnerability CVE-2022-22965 for Spring Framework. Affected Software and Versions: Existing proofs of concept (PoCs) for exploitation work under the following conditions:
Is Xroad affected by this vulnerability? If so, do you have any solution to fix it?