Alibaba Cloud Statement on the Impact Assessment of Spring Framework Vulnerability (CVE-2022-22965)

Last Update: April 1, 2022, Friday

Alibaba Cloud is aware of the recently disclosed security issues related to Spring Framework remote code execution (RCE) vulnerability (CVE-2022-22965) (“Spring Framework Vulnerability”). Alibaba Cloud has taken immediate action to mitigate potential security risks associated with the Spring Framework Vulnerability on its public cloud products.
It is highly recommended that our customers pay close attention to and review
their applications and systems that use Spring Framework, and ensure that these applications and systems have been upgraded to use the latest version of Spring Framework (alternatively, enable automatic updates for these applications and systems).
For more information or help, please visit the Alibaba Cloud customer service page.
The following describes the scope of impact of the Spring Framework Vulnerability on Alibaba Cloud's public cloud offerings:
Alibaba Cloud has checked the following public cloud products and did not find any of them being affected by the Spring Framework Vulnerability as of April 1, 2022. Alibaba Cloud will continue monitoring the latest developments with respect to the Spring Framework Vulnerability and deploy countermeasures as soon as they become available to ensure the security of its public cloud products and services.

ECS (Elastic Compute Service)
RDS (RDS for MySQL, ApsaraDB RDS for PostgreSQL, and ApsaraDB RDS for SQL Server)
EIP (Elastic IP Address )
MaxCompute
SLB (Server Load Balancer )
ACK (Container Service for Kubernetes)
SSL Certificates Service
OSS (Object Storage Service)
FC (Function Compute)
ECI (Elastic Container Instance)
RAM (Resource Access Management)
Log Service
Container Registry
DataWorks
Security Center
WAF (Web Application Firewall )
NAT Gateway
Apsara File Storage NAS
Domains
Alibaba Mail
DNS (Domain Name System)
Quick BI
IoT Platform
Elastic Desktop Service