Hi Skyline team
I would like to confirm whether Dataminer product is affected by this vulnerability: CVE-2022-22965 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965)
Thanks in advance
Marieke Goethals [SLC] [DevOps Catalyst] Selected answer as best 14th July 2023
Hi Xabier,
DataMiner only depends on 2 Java-based applications: Apache Cassandra and Elasticsearch.
- Elasticsearch is not affected by Spring4Shell
- Apache Cassandra did not make an official statement yet. I have contacted them for official confirmation, but have not received an answer.
Therefore, I did some investigation myself:
The vulnerability requires JDK 9 or higher and is packaged as a WAR file.
Since DataMiner deploys Cassandra with Java 8 and it’s not packaged as a WAR I don’t expect Cassandra to be affected.
I also ran a Spring4Shell detection tool on my local Cassandra and it did not detect the vulnerabilities:
Please let me know if you have any further questions.
Marieke Goethals [SLC] [DevOps Catalyst] Selected answer as best 14th July 2023
Thanks Jens, all clear.
Best regards