[NOTICE] Yellowfin and the SpringShell Vulnerability

David Registro shared this announcement 4 months ago

Security researchers have discovered a vulnerability with Spring, which may affect some Yellowfin deployments.

SpringShell (Spring4Shell) CVE 2022-22965 is a critical vulnerability that could potentially lead to remote code execution on an affected Yellowfin server. You can read more information on the vulnerability here: https://nvd.nist.gov/vuln/detail/CVE-2022-22965

Another similar Spring vulnerability, CVE-2022-22963, does not affect Yellowfin. This affects SpringCloud dependencies which are not used within Yellowfin software. You can read more information on this vulnerability here: https://nvd.nist.gov/vuln/detail/CVE-2022-22963

SpringShell affected Yellowfin versions:

  • Yellowfin Version 9.0 - 9.7.1
  • Yellowfin Version 8.0.4 - 8.0.11

Note: These versions are only vulnerable when running Yellowfin with Java 9 or greater

Yellowfin has released patched versions of 8.0.11 and  9.7.1 that are not vulnerable to the issue. You can get these releases from the builds page here.  
For more information on the vulnerability, including alternative manual solutions please read see the following article .

For any questions, or concerns on the above, please reach out to the YF support team via a private ticket.

Regards,

The Yellowfin Support Team

Comments have been locked on this page!