On March 31, 2022 a critical security vulnerability (CVE-2022-22965) was made public, affecting software developments based on the Spring framework.
Regarding how this vulnerability affects us in Modyo platforms, we can comment the following:
- Modyo Cloud and Modyo Enterprise Cloud, in all its versions, are not affected by the vulnerability, since the incident affects the Spring framework, which is not part of the development.
- Modyo Connect supports containers developed in Spring Boot, which according to official information could be affected as long as it is deployed as WAR inside a Tomcat server. In the case of Modyo Connect, the standalone server provided internally by the framework is always used, which would not be affected.
Regardless of the above, Modyo recommends that all Modyo customers who own containers developed with Spring Boot upgrade to the latest released version in order to avoid risk from this vulnerability.
Modyo Connect customers with active development contracts will be contacted internally to support them with the migration.
Jose Antonio Silva