On March 31, 2022, a critical vulnerability was announced in the Spring framework, which is used by many vendors with Java based products.
As soon as WithSecure became aware of this, we started investigating to see if any of our products were affected, and we found that the following products contained the version of Spring Framework that was affected.
- F-Secure Policy Manager (version 15 only)
- F-Secure Policy Manager for Linux (version 15 only)
- F-Secure Policy Manager Proxy (version 15 only)
- F-Secure Policy Manager Proxy for Linux (version 15 only)
While these products contained the vulnerable version, they are not exploitable with any currently known attacks.
However, as some third-party vulnerability scanners have reported that these versions are susceptible, we have released hotfixes that replace the affected components with versions that are not vulnerable to this attack. The hotfixes can be found via our Downloads section on the product support pages.
WithSecure have released a Security Advisory related to this.