This Security Advisory was originally published to Pega Documentation on April 18, 2022. It was moved to the Pega Support Center on August 31, 2022.
A number of vulnerabilities have been reported in the Spring Framework third-party product. Most of Pega products or services do not use the Spring component, so they would not be affected by these vulnerabilities. A few of Pega’s products do include Spring, but are not exposed to the listed vulnerabilities (details below):
CVE-2022-22947: “Spring Cloud Gateway RCE”
None of Pega’s products or services use Spring Cloud Gateway, so no Pega products or services are impacted.
CVE-2022-22950: “DoS using Spring SpEL expressions”
None of Pega’s products or services use Spring SpEL expressions, so no Pega products or services are impacted.
CVE-2022-22963: “Spring Cloud RCE”
None of Pega’s products or services use Spring Cloud, so no Pega products or services are impacted.
CVE-2022-22968: “Case-sensitive pattern for disallowedFields on a DataBinder”
None of Pega’s products or services use the Spring DataBinder feature, so no Pega products or services are impacted.
CVE-2022-22969: "Spring Security OAuth_2"
None of Pega’s products or services use Spring Security OAuth, so no Pega products or services are impacted.
CVE-2022-22965: “Spring4Shell”
Pega has researched this issue for Pega Cloud. None of the internal cloud infrastucture services use Spring.
Pega has researched this issue for the following Pega products or services, which are not impacted:
- Pega Platform versions 6.x, 7.x, and 8.x
- Constellation (not based in Java, so not exposed to this vulnerability)
- Pega Chat (does not use Spring)
- Pega Co-Browse (does not use Spring)
- Robotic Automation (does not use Spring)
- Robot Manager (does not use Spring)
- Digital Messaging (does not use Spring)
- WFI (does not use Spring)
Further details for additional Pega products:
- Pega Platform/Pega Infinity: Although this product does include Spring as a third-party component, it does not include the vulnerable spring-webmvc / spring-webflux libraries. Spring is only used for the Text Analytics feature, but Pega Platform is not using the vulnerable features (request mapping and parameter binding). Pega Platform does not use Spring to process inbound traffic, and so is not exposed to this vulnerability; this applies to all versions 6.x - 8.7.1 on all supported JVMs.
- Legacy CDM: Although this product does include Spring as a third-party component, it does not include the vulnerable spring-webmvc / spring-webflux libraries (except VBD, see below for additional details). Since Java 9+ is not supported for this product, Legacy CDM is not exposed to this vulnerability.
- ADM Standalone, version 7.x: Although this product does include Spring as a third-party component, it does not include the vulnerable spring-webmvc / spring-webflux libraries. Since Java 9+ is not supported for this product, it is not exposed to this vulnerability.
- VBD Standalone, version 7.x & Legacy CDM: These products do include the spring-webmvc library, but Java 9+ is not supported. Therefore, these products are not exposed to the vulnerability when they are deployed on supported JVM versions.