Updated 24 May 2022 - 12:00 CET
EVS is actively responding to the reported vulnerability in the Spring MVC or Spring WebFlux application dubbed Spring4Shell. We are currently conducting a product-by-product analysis to determine if any are potentially impacted by the vulnerability. This is an ongoing investigation, so please check this bulletin page frequently for updates.
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
| Product | Version | Status | Comment |
|---|---|---|---|
| CCast | All | Not affected | |
| Cerebrum | All | Not affected | |
| Dyvi | All | Not affected | |
| Ingest Funnel | All | Not affected | |
| IPDirector | All | Not affected | The service runs under Java 8 and not under Tomcat (under these conditions there is no vulnerability). |
| IPD-VIA | All | Not affected | |
| IPLink for Adobe | All | Not affected | |
| IPLink for Avid | All | Not affected | |
| IPWeb | All | Not affected | |
| LSM Connect | All | Not affected | |
| LSM-VIA | All | Not affected | |
| MAD | All | Not affected | |
| Mediahub | All | Under analysis | |
| Multicam (XT) | All | Not affected | |
| MultiReview | All | Not affected | |
| Neuron | All | Not affected | |
| PMZ | All | Not affected | |
| Synapse | All | Not affected | |
| Teradici Cloud Access | All | Not affected | |
| Truck Manager | All | Not affected | |
| XFile | All | Not affected | |
| XnetMonitor | All | Not affected | |
| XnetWebMonitor | All | Not affected | |
| Xplore | All | Not affected | |
| Xsquare | All | Not affected | |
| Xstore | All | Not affected | |
| Xedio | All | Not affected |
This list is under investigation and will be regularly updated.
| Product | Version | Status | Workaround | Patch |
|---|---|---|---|---|
| XS-Neo / X-One / Xeebra | All | Impacted | Update to Spring Framework 5.3.18 and 5.2.20 or greater. Important note: internal library, not used by any exposed services. Requires having ssh access to the system. |
More information and detailed explanations on the working of this vulnerability can be found via the links below: