Alteryx’s Response to CVE-2022-22965 Spring4Shell Vulnerability

This article was written by MattH and originally appeared on the Alteryx Analytics blog here: https://community.alteryx.com/t5/Analytics/Alteryx-s-Response-to-CVE-2022-22965-Spring4Shell-Vulnerability/ba-p/930977

 

What Is Spring4Shell - CVE-2022-22965

CVE-2022-22965 or Spring4Shell is a vulnerability found in the Spring Framework running on Java Development Kit 9, allowing for potential data leaks and remote code execution in vulnerable applications.  Spring is an open source lightweight Java platform development framework used to create high-quality, easily testable code and is currently owned by VMWare.

 

Products Confirmed As Not Impacted

  • Designer
  • Designer Cloud
  • Intelligence Suite
  • Lore IO
  • Machine Learning
  • Promote
  • Public Gallery
  • Server/Gallery
  • Third Party Software

 

Products Confirmed As Patched

  • Trifacta – Patch applied
  • Trifacta Cloud – Patch applied
  • Hyper Anna – Patch applied
  • Hyper Anna Cloud – Patch applied

While both products were found to be unaffected, we have applied suggested patches from Spring.

 

Products Impacted

  • Connect

All versions of Connect have vulnerable dependencies and we recommend updating the Apache Tomcat Server included in the install.  Step by step instructions for accomplishing this are available here.  If you require further assistance, please contact Customer Support.

 

Alteryx will also be providing fixed versions of Connect for currently supported versions as they become available.  The current supported versions of Connect are:

 

Version Release Date End of Support
2021.4 2/2/2022 8/2/2023
2021.3 8/11/2021 2/11/2023
2021.2 5/17/2021 11/17/2022
2021.1 2/10/2021 8/10/2022
2020.4 11/18/2020 5/18/2022