Kofax products and Spring4Shell vulnerability information CVE-2022-22965
Spring4Shell vulnerabilities (CVE-2022-22965) in the Spring Core Framework of the Spring Core on Java Development Kit (JDK) version 9 or later
Kofax is aware of the recently disclosed Spring4Shell vulnerabilities (CVE-2022-22965) in the Spring Core Framework of the Spring Core on Java Development Kit (JDK) version 9 or later. The following Kofax products are using the potentially vulnerable version. Kofax is in the process of evaluating the usage of Spring4Shell in the products below and will create patches wherever it is needed, as a priority.
Products not listed on this page have been evaluated and are not vulnerable.
| Affected Kofax Products | Remediation Status | Kofax Community Product Discussion URL Bookmark your product's post for any future updates |
| Kofax Communication Manager (KCM) | KCM is not vulnerable for Spring4Shell zero-day vulnerability (CVE-2022-22965). KCM does use Spring parameter binding, but to a native (String) type. It does not bind to a POJO. | Communications Manager Release Announcements |
| Device Web Service (DWS) | The Java Development Kit (JDK) included is below JDK9 and is therefore not impacted. | ControlSuite Release Announcements |
| Invoice Portal | Invoice Portal does not use Java Development Kit version 9 (JDK9) or later and therefore is not impacted. Please refer to the Does the spring4shell vulnerability CVE-2022-22965 affect Invoice Portal article for details. |
ReadSoft Release Announcements |
| RPA | Patches are available See Is Kofax RPA impacted by the CVE-2022-22965 RCE Vulnerability article. |
Robotic Process Automation Release Announcements |
| MarkView | MarkView does not use Java Development Kit version 9 (JDK9) or later and therefore is not impacted. Please refer to the Does the spring4shell vulnerability CVE-2022-22965 affect MarkView article for details. |
MarkView Release Announcements |
| Printix | Printix is not vulnerable as Spring Core is not deployed as WAR. | |
| SafeCom | The Java Development Kit (JDK) included is below JDK9 and is therefore not impacted. | |
| SignDoc | Potentially vulnerable. Kofax R&D is evaluating if SignDoc is impacted by this vulnerability. Please refer to the Spring4shell vulnerability in SignDoc article for more information. |
SignDoc Release Announcements |
Monitor the indicated Community post for any future updates.
Kofax Technical Support
Article # 3041775