Introduction
On 1 April 2022 two vulnerabilities affecting the widely-used Java Spring Framework were disclosed following leakage of vulnerability details online. If exploited, both vulnerabilities can permit an unauthenticated user to execute arbitrary code on the target system.

CVE-2022-22963 describes an RCE vulnerability in the Spring Cloud Function while CVE-2022-22965 affects the Spring Core Framework.

Impact assessment
The Arcot platform does not use Spring Cloud Function and hence is not vulnerable to CVE-2022-22963.

CVE-2022-22965 requires several preconditions to be true for a system to be exploitable, and vulnerable components must be remotely accessible in order for attackers to send crafted requests to attempt exploitation.

Arcot has evaluated CVE-2022-22965 and confirmed that there are no remotely accessible components that are deployed in an exploitable configuration.

Mitigation
As the Arcot platform does not meet the preconditions for exploitation, no immediate action is required, however Arcot will update instances of Spring Framework to the non-vulnerable 5.3.18 and 5.2.20 (or higher) versions in the course of routine component version updates during forthcoming sprint cycles.