This article was written by MattH and originally appeared on the Alteryx Analytics blog here: https://community.alteryx.com/t5/Analytics/Alteryx-s-Response-to-CVE-2022-22965-Spring4Shell-Vulnerability/ba-p/930977
What Is Spring4Shell - CVE-2022-22965
CVE-2022-22965 or Spring4Shell is a vulnerability found in the Spring Framework running on Java Development Kit 9, allowing for potential data leaks and remote code execution in vulnerable applications. Spring is an open source lightweight Java platform development framework used to create high-quality, easily testable code and is currently owned by VMWare.
Products Confirmed As Not Impacted
- Designer
- Designer Cloud
- Intelligence Suite
- Lore IO
- Machine Learning
- Promote
- Public Gallery
- Server/Gallery
- Third Party Software
Products Confirmed As Patched
- Trifacta – Patch applied
- Trifacta Cloud – Patch applied
- Hyper Anna – Patch applied
- Hyper Anna Cloud – Patch applied
While both products were found to be unaffected, we have applied suggested patches from Spring.
Products Impacted
- Connect
All versions of Connect have vulnerable dependencies and we recommend updating the Apache Tomcat Server included in the install. Step by step instructions for accomplishing this are available here. If you require further assistance, please contact Customer Support.
Alteryx will also be providing fixed versions of Connect for currently supported versions as they become available. The current supported versions of Connect are:
| Version | Release Date | End of Support |
| 2021.4 | 2/2/2022 | 8/2/2023 |
| 2021.3 | 8/11/2021 | 2/11/2023 |
| 2021.2 | 5/17/2021 | 11/17/2022 |
| 2021.1 | 2/10/2021 | 8/10/2022 |
| 2020.4 | 11/18/2020 | 5/18/2022 |