Updated Date: 2022-6-7

Dear Valued Partners, 

BioStar 2 Software is not impacted by Java Spring Framework including a Remote Code Execution (RCE) vulnerability called Spring4Shell or SpringShell.

At the end of March 2022, CVE published three critical vulnerabilities in the Java Spring Framework, including a remote code execution (RCE) vulnerability called Spring4Shell or SpringShell.

The Suprema Biostar 2 system is not impacted by the three CVE Java Spring Framework vulnerabilities published in March 2022.

1. CVE-2022-22963, RCE in Spring Cloud Function (less severe),

//BioStar 2 does not use Spring Cloud.

2. CVE-2022-22950, Spring Expression DoS Medium-severity vulnerability

//BioStar 2 does not use Spring Expression.

3. CVE-2022-22965, "Spring4Shell" or RCE in Spring Core - confirmed by several sources that leverage class injection (Critical)

// BioStar 2 is not the package of .war type. The attack pattern does not match with BioStar 2 system. It's because BioStar 2 uses the internal tomcat as jar format.

Reference site: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement