Introduction

EVS is actively responding to the reported vulnerability in the Spring MVC or Spring WebFlux application dubbed Spring4Shell. We are currently conducting a product-by-product analysis to determine if any are potentially impacted by the vulnerability. This is an ongoing investigation, so please check this bulletin page frequently for updates.

Description

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Products under investigation or not impacted

Product Version Status Comment
CCast All Not vulnerable  
Cerebrum All Under analysis  
Dyvi All Not affected  
Ingest Funnel All Not vulnerable  
IPDirector All Not affected The service runs under Java 8 and not under Tomcat (under these conditions there is no vulnerability).
IPD-VIA All Not affected  
IPLink for Adobe All Under analysis  
IPLink for Avid All Under analysis  
IPWeb All Not vulnerable  
LSM Connect All Not vulnerable  
LSM-VIA All Not vulnerable  
MAD All Not vulnerable  
Mediahub All  Under analysis  
Multicam (XT) All Not affected  
MultiReview All Under analysis  
Neuron All Under analysis  
PMZ All Under analysis  
Synapse All Under analysis  
Teradici Cloud Access All Not affected  
Truck Manager All Not affected  
Xeebra All Not vulnerable  
XFile All Not affected  
XnetMonitor All Under analysis  
XnetWebMonitor All Under analysis  
X-One All Not vulnerable  
Xplore All Not vulnerable  
Xsquare All Not vulnerable  
Xstore All Under analysis  
Xedio All Not vulnerable  
XTAccess All Not vulnerable  
XS-NEO All Not vulnerable  
XHub-VIA  All Not vulnerable  

 

Known EVS impacted products & resolution

This list is under investigation and will be regularly updated.

Product Version Status Workaround Patch
         

More information

More information and detailed explanations on the working of this vulnerability can be found via the links below: