2022-04 Spring4Shell Vulnerability Assessment

In April 2022, Spring by VMWare released a patch for RCE vulnerabilities CVE-2022-22963  & CVE-2022-22965, known as “Spring4Shell.”

These vulnerabilities may be used by attackers to gain control of affected systems.

Assessment Summary

Software published by Riva International, Inc. is NOT impacted by the Spring4Shell vulnerability.

Assessment Overview

As part of our security program, we have reviewed the vulnerability and have assessed whether any Riva service or critical elements of Riva's supply chain including third-party vendors are affected by this bug.

Riva software does not use the affected Spring framework for Java, including Riva Cloud, Riva Sync, Riva Insight, & Riva On-Premise.  As a result, our customers are not directly impacted by this vulnerability by using Riva's software or cloud offerings.

With regards to related services such as licensing, billing, and payment processors, we are working with other critical vendors to ensure that they also apply appropriate mitigations.

If you have configured your CRM or email services to use the Spring framework for Java, you should make sure to update the library to versions 3.1.7 and 3.2.3 or to switch to another Java framework.

For more information about the Spring4Shell vulnerability, see https://www.cisa.gov/uscert/ncas/current-activity/2022/04/01/spring-releases-security-updates-addressing-spring4shell-and.

Additional Security Questions

At Riva, we are committed to delivering an enterprise grade service-level.

If you have specific security concerns, please contact the Riva Success Team, and a member of our team will schedule a call with you to discuss your concerns.