On March 31, 2022, a vulnerability report was issued for Spring Framework (CVE-2022-22965 and CVE-2022-22963).
Spring by VMware.
A flaw was found in the VMware Spring Framework. The vulnerability means applications running on JDK9 or later are vulnerable to remote code execution (RCE) via data binding when the application is run on Tomcat as a WAR deployment.
Affected Spring Framework versions
- 5.3.0 to 5.3.17
- 5.2.0 to 5.2.19
- Unsupported versions
Cleo uses openJDK8 and is therefore not subject to these vulnerabilities.
Cleo Harmony, Cleo VLTrader, and Cleo LexiCom do not use the affected classes as part of their code framework and, as such, are not subject to either CVE.
- Cleo LexiCom
- Cleo VLTrader
- Cleo Harmony
- Cleo VLProxy
- Cleo Clarify
- Cleo Streem
As such, no further action is required as the listed applications are not susceptible to this CVE.