NT-ware is aware of a new remote code execution vulnerability affecting the Java Spring framework. Named Spring4Shell and tracked under CVE-2022-22965, this vulnerability is in the Java ‘Spring’ library. We actioned our security and development team to investigate, mitigate and communicate our activities. The result of these activities have concluded and are listed below. As it is early in the release of this vulnerability, the information below is subject to change if new exploits are identified.
Advisory release date
4th April 2022
NT-ware Web Sites, uniFLOW Server, uniFLOW Online and PRISMAsatellite
<NT-ware rates the severity level of this vulnerability as …>
Summary of Vulnerability
NT-ware - company
All public-facing sites and services have been reviewed and scanned by vulnerability assessment tools and human inspection.
Some internal services have been identified as utilizing Spring4Shell. We have taken immediate steps to patch or place mitigation controls in place.
None of the uniFLOW components are affected:
uniFLOW Server, Remote Print Servers, SmartClients, Internet Gateway, Web Submission, and supporting services.
None of the uniFLOW Online/uniFLOW Online Express components are affected:
The platform itself, SmartClients, and supporting services
uniFLOW Embedded Applets for Canon MEAP devices
Devices connected with uniFLOW Release Stations
None of the PRISMAsatellite components are affected.
Please Note: The ‘Affected’ versions are NOT affected by the vulnerability and cannot be exploited. We list them as the components are visible if scanned and might present as a false positive.
COSMOS V2.9 and sysHUB 2021
None of the uniFLOW sysHUB (Cosmos) components are affected:
While the Spring library is present in the uniFLOW sysHUB (Cosmos) product, we can confirm it is NOT affected by this vulnerability.
COSMOS Versions < 2.9 use Java8, a prerequisite is >= Java9
Since COSMOS V2.9 and sysHUB 2021, Java11 has been used, but the following bullet points exclude the vulnerability
All versions of COSMOS and sysHUB use Jetty instead of Tomcat for the servlet engine
All standard web applications are NOT deployed as WAR files
Spring-webflux is NOT used in any of the standard web applications.
Version sysHUB 2022.1
Out of an abundance of caution, we will be taking further actions moving forward. Please note there is NO need to perform any patching of existing systems/installations to mitigate the known listed exploits.
We will update Spring library to the latest version with sysHUB 2022.1
The capability for build pipeline to deploy WAR files will be disabled with sysHUB 2022.1 as well
What You Need to Do
Please review the provided information and upgrade accordingly as needed.
No mitigations are required as we are not directly exploitable.
If you have further questions, please contact your Canon / Canon Business Partner representative.