Metric Insights not affected by 'Spring4Shell' vulnerability CVE-2022-22965
In light of the recent zero-day RCE vulnerability with Java Spring Framework, colloquially known as Spring4Shell (published on Thursday, March 31st), we wanted to update you on where Metric Insights stands:
The Metric Insights application is currently safe.
Java Spring Framework is only used with our Dataprocessor service which runs inside of a container/pod. Our Dataprocessor service is deployed as a Spring Boot application, which is not vulnerable, per Rossen Stoyanchev of Spring.io:
"If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the exploit"
More details can be found here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
For any questions or concerns, please reach out to Metric Insights Support: firstname.lastname@example.org