Am I affected
The Verint security team is actively investigating the impact of the Spring Framework Vulnerability CVE-2022-22965. The team has determined that the current version of Verint Financial Compliance (Verba) as provided to our customers is not vulnerable to the Spring Framework Vulnerability CVE-2022-22965 based on identified indicators of compromise by industry experts. As more information is released, we continue to review our offerings and follow manufacturer recommended remediations for all systems and services.
The Verint Financial Compliance (Verba) product does include the following Spring Framework libraries:
Verba\tomcat\webapps\verba\WEB-INF\lib\spring-aop-4.3.30.RELEASE.jar Verba\tomcat\webapps\verba\WEB-INF\lib\spring-beans-4.3.30.RELEASE.jar Verba\tomcat\webapps\verba\WEB-INF\lib\spring-context-4.3.30.RELEASE.jar Verba\tomcat\webapps\verba\WEB-INF\lib\spring-core-4.3.30.RELEASE.jar Verba\tomcat\webapps\verba\WEB-INF\lib\spring-tx-4.3.30.RELEASE.jar Verba\tomcat\webapps\verba\WEB-INF\lib\spring-web-4.3.30.RELEASE.jar
However, these libraries are no longer in use and can be safely removed from the system by deleting these JAR files. The files will be removed in the next service release.
Summary and Impact
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
For more information, see https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement