CVE-2022-22965 - Spring Framework RCE w/ JDK 9+

Issue

Spring.io has published a notification about a recently discovered CVE (https://tanzu.vmware.com/security/cve-2022-22965) They have posted a blog about their observations (https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement) which they are continuing to update. Armory has been following the developments so far and is keeping up to date about the situation. Based on our investigations, we do not appear to be susceptible to exploitation at this time, and therefore we are only observing developments. We will continue looking at updates and measuring the potential impact on customers. To understand the Armory process in evaluating and determining the scope of effect of the vulnerability, Armory has posted the following Blog Article:https://www.armory.io/blog/cve-2022-22965-spring-rce-which-does-not-impact-spinnaker/

Cause

Please refer to Spring's post with regard to this vulnerability:https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement