Catalogic Software has not identified any vulnerability in the Catalogic DPX data protection releases due to CVE-2022-22965 which might affect some versions of VMware Spring Framework and applications on these frameworks.
On March 31, 2022, VMware announced a possible vulnerability in VMware Spring Framework:
- VMware: "CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+"
- Reference. US National Institute of Standard and Technology (NIST): "CVE-2022-22965 Detail"
Upon the initial announcement by VMware, the Catalogic security team investigated the current Catalogic DPX data protection releases, including Catalogic vStor in the Catalogic DPX 4.8.0 release. After the initial investigation of April 2022, the security team concluded that there are not any components in the current Catalogic DPX data protection releases that are affected by the vulnerability CVE-2022-22965 in typical workload scenarios. Catalogic Software is preparing to release Catalogic DPX 4.8.1 with a newer version of the VMware Spring Framework 5 that addresses the vulnerability CVE-2022-22965.
Contact Catalogic Support if you have any question about the Catalogic DPX data protection:
- Email (24/7 - Global): dpsupport@catalogicsoftware.com
- Phone (Americas): +1 (877) 600 8280
- Phone (Netherlands): +31 (0) 20 347 23 88
- Phone (EMEA): +800 796 27678