2022: Security Advisory: Spring4Shell Java Spring Framework
Summary | NT-ware is aware of a new remote code execution vulnerability affecting the Java Spring framework. Named Spring4Shell and tracked under CVE-2022-22965, this vulnerability is in the Java ‘Spring’ library. We actioned our security and development team to investigate, mitigate and communicate our activities. The result of these activities have concluded and are listed below. As it is early in the release of this vulnerability, the information below is subject to change if new exploits are identified. |
Advisory release date | 4th April 2022 |
Product Affected | uniFLOW sysHUB |
Products Reviewed | NT-ware Web Sites, uniFLOW Server, uniFLOW Online and PRISMAsatellite |
CVE | CVE-2022-22965 |
Severity
<NT-ware rates the severity level of this vulnerability as …>
Summary of Vulnerability
NT-ware - company
All public-facing sites and services have been reviewed and scanned by vulnerability assessment tools and human inspection.
Some internal services have been identified as utilizing Spring4Shell. We have taken immediate steps to patch or place mitigation controls in place.
uniFLOW
None of the uniFLOW components are affected:
uniFLOW Server, Remote Print Servers, SmartClients, Internet Gateway, Web Submission, and supporting services.
uniFLOW Embedded Applets for:
Canon MEAP devices
varioPrint 140 devices
ColorWave/PlotWave printers
ScanFront devices
Xerox/HP/Samsung/Konica Minolta/Brother/Sharp/OKI/EPSON/Lexmark devices
Devices connected with uniFLOW Release Stations
uniFLOW Online/uniFLOW Online Express
None of the uniFLOW Online/uniFLOW Online Express components are affected:
The platform itself, SmartClients, and supporting services
uniFLOW Embedded Applets for Canon MEAP devices
Devices connected with uniFLOW Release Stations
PRISMAsatellite
None of the PRISMAsatellite components are affected.
Affected Versions
Please Note: The ‘Affected’ versions are NOT affected by the vulnerability and cannot be exploited. We list them as the components are visible if scanned and might present as a false positive.
Product | Affected versions |
COSMOS V2.9 and sysHUB 2021 | uniFLOW sysHUBNone of the uniFLOW sysHUB (Cosmos) components are affected:
|
Fixed Versions
Product | Fix versions |
|
|
What You Need to Do
Please review the provided information and upgrade accordingly as needed.
Mitigation
No mitigations are required as we are not directly exploitable.
Support
If you have further questions, please contact your Canon / Canon Business Partner representative.