Delphix Products

 View Only

Response to Recent News about Spring Framework RCE

By Rajesh Dharmalingam posted 04-05-2022 04:54:20 PM


We are aware of the recently reported remote code execution (RCE) vulnerability in Spring Framework, reported as CVE-2022-22965. The current state of analysis is that while this is potentially a serious vulnerability, it is only exploitable in certain conditions, notably JDK 9 or higher is required and Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions are affected, in addition the application has to be packaged as a traditional WAR (in contrast to a Spring Boot executable jar).  JDK 8 is not impacted as the change that intersects with Spring Framework to create this vulnerability was introduced in Java 9+ (see both the announcement from, and the analysis from Contrast Security).


  • There is no impact to either the Delphix Virtualization (Continuous Data) engine, or the Delphix Masking (Continuous Compliance) Engine as these are both based on Java 8.
  • There is no impact to Data Control Tower (DCT) SaaS as it is based on Python and Java 8.
  • There is no impact to Data Control Tower (DCT) Multi Cloud even though it uses Java 11, as it uses spring boot packaged as an executable jar rather than as a WAR.  In an abundance of caution we will release a patch version of DCT MC with the latest Spring Framework that addresses this vulnerability.