In light of the recent zero-day RCE vulnerability with Java Spring Framework, colloquially known as Spring4Shell (published on Thursday, March 31st), we wanted to update you on where Metric Insights stands:

The Metric Insights application is currently safe.

Java Spring Framework is only used with our Dataprocessor service which runs inside of a container/pod. Our Dataprocessor service is deployed as a Spring Boot application, which is not vulnerable, per Rossen Stoyanchev of Spring.io:

"If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the exploit"

More details can be found here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

For any questions or concerns, please reach out to Metric Insights Support: [email protected]