Pega Infinity - Spring4Shell Vulnerability Assessment
Hi, does the latest "spring4shell" vulnerability affect Pega Infinity platform in any way? "Spring4Shell" is basically a vulnerability affecting the core spring framework where it allows remote code execution. As far as my assessment goes there are no references to spring core framework in the standard Pega Infinity installation. Can somebody from Product team confirm this?
Below is the link to one of the many sources on the "spring4shell" vulnerability
Updated: 1 Apr 2022 8:52 EDT
Pegasystems Inc.
NL
Hi @ArunS775, at this moment we don't have an indication that our Pega Infinity server is impacted by this as we're not dependent on spring-webmvc or spring-webflux.
We'll continue to analyze and monitor the situation as it unfolds.
TSYS
US
@Eric Rietveld Do you know if clients with self-hosted implementations running Pega 8.3.1 would be impacted?
Thanks,
Angel
Pegasystems Inc.
NL
Hi @angelf21, your self-hosted version of Pega Infinity will have parts of the vulnerable library, however are also not exploitable as the Spring libraries are not used for any inbound data traffic handling.
I do hope that you're planning to update your 8.3.1 version soon, since we have many other security and stability improvements that you're missing out on.
Kind regards,