Konica Minolta has been made aware of two critical vulnerabilities with the highest risk rating affecting certain applications and services.
The threats are remote code execution vulnerabilities Spring4Shell – Spring Core RCE (CVE-2022-22965) and Spring Cloud Function RCE (CVE- 2022-22963).
CVE-2022-22965 (Spring4Shell) is found in the Spring Core Framework and was observed and confirmed at the end of March of 2022. Spring Framework is an open-source application framework, used for the development of Java-based applications, essentially aiming to help developers build applications more quickly. If exploited, this vulnerability can enable remote code execution (RCE) attacks, but it appears to be largely at the proof-of-concept stage right now for specific Spring Framework implementations.
CVE-2022-22963 (Spring Cloud Function RCE) was also observed and confirmed at the end of March 2022 and is affecting the Spring Cloud Function version 3.1.6, 3.2.2 and older unsupported versions. When using routing functionality, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
Since this is still an early stage for both vulnerabilities, we do not yet have a list of affected applications/offerings from Konica Minolta for you. We are currently evaluating which versions of which offered applications are affected and if so, how to remedy the vulnerability.
For Konica Minolta, the security of our devices, applications, and services is of the highest concern. We are working on resolving the topic with the highest priority and speed and will provide regular updates.