We are aware of the recently reported remote code execution (RCE) vulnerability in Spring Framework, reported as CVE-2022-22965. The current state of analysis is that while this is potentially a serious vulnerability, it is only exploitable in certain conditions, notably JDK 9 or higher is required and Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions are affected, in addition the application has to be packaged as a traditional WAR (in contrast to a Spring Boot executable jar). JDK 8 is not impacted as the change that intersects with Spring Framework to create this vulnerability was introduced in Java 9+ (see both the announcement from spring.io, and the analysis from Contrast Security).
- There is no impact to either the Delphix Virtualization (Continuous Data) engine, or the Delphix Masking (Continuous Compliance) Engine as these are both based on Java 8.
- There is no impact to Data Control Tower (DCT) SaaS as it is based on Python and Java 8.
- There is no impact to Data Control Tower (DCT) Multi Cloud even though it uses Java 11, as it uses spring boot packaged as an executable jar rather than as a WAR. In an abundance of caution we will release a patch version of DCT MC with the latest Spring Framework that addresses this vulnerability.