Updated Date: 2022-6-7
Dear Valued Partners,
BioStar 2 Software is not impacted by Java Spring Framework including a Remote Code Execution (RCE) vulnerability called Spring4Shell or SpringShell.
At the end of March 2022, CVE published three critical vulnerabilities in the Java Spring Framework, including a remote code execution (RCE) vulnerability called Spring4Shell or SpringShell.
The Suprema Biostar 2 system is not impacted by the three CVE Java Spring Framework vulnerabilities published in March 2022.
1. CVE-2022-22963, RCE in Spring Cloud Function (less severe),
//BioStar 2 does not use Spring Cloud.
2. CVE-2022-22950, Spring Expression DoS Medium-severity vulnerability
//BioStar 2 does not use Spring Expression.
3. CVE-2022-22965, "Spring4Shell" or RCE in Spring Core - confirmed by several sources that leverage class injection (Critical)
// BioStar 2 is not the package of .war type. The attack pattern does not match with BioStar 2 system. It's because BioStar 2 uses the internal tomcat as jar format.