Critical Security Vulnerability Information

Spring4Shell - Spring Core RCE and Spring Cloud Function RCE

 

2nd update – 11 April 2022


This is an update on the recent communication about a critical vulnerability with the highest risk rating affecting certain applications and services that we have provided a few days ago. The threats are remote code execution vulnerabilities Spring4Shell – Spring Core RCE (CVE-2022-22965) and Spring Cloud RCE (CVE- 2022-22963) (please scroll down to previous updates for details).
 
We can confirm that we checked the status of the following software, services and products and confirm they are not affected by the vulnerability.
 
If you don’t find a specific product you have from our offering on these lists, please get in touch with us.
 
For updates regarding the impacts on applications of our partner Ysoft, please check this Ysoft-webpage and scroll down – you will find an updated pdf in the section “Security Bulletin” named  “YSoft SAFEQ SPRING4SHELL VULNERABILITY”.
 

Applications

 


Office Printing


Professional Printing


1st update – 6 April 202


Langenhagen, Germany, 06. April 2022 


Konica Minolta has been made aware of two critical vulnerabilities with the highest risk rating affecting certain applications and services.  

The threats are remote code execution vulnerabilities Spring4Shell – Spring Core RCE (CVE-2022-22965) and Spring Cloud Function RCE (CVE- 2022-22963)

CVE-2022-22965 (Spring4Shell) is found in the Spring Core Framework and was observed and confirmed at the end of March of 2022. Spring Framework is an open-source application framework, used for the development of Java-based applications, essentially aiming to help developers build applications more quickly.  If exploited, this vulnerability can enable remote code execution (RCE) attacks, but it appears to be largely at the proof-of-concept stage right now for specific Spring Framework implementations. 

CVE-2022-22963 (Spring Cloud Function RCE) was also observed and confirmed at the end of March 2022 and is affecting the Spring Cloud Function version 3.1.6, 3.2.2 and older unsupported versions. When using routing functionality, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources

Since this is still an early stage for both vulnerabilities, we do not yet have a list of affected applications/offerings from Konica Minolta for you. We are currently evaluating which versions of which offered applications are affected and if so, how to remedy the vulnerability. 

For Konica Minolta, the security of our devices, applications, and services is of the highest concern. We are working on resolving the topic with the highest priority and speed and will provide regular updates.