On Thursday March 31st, 2022, we observed the announcement of the zero-day vulnerability (CVE-2022-22965) for the commonly used Spring Framework for Java-based software using RCE. This vulnerability is also known as Spring4Shell.
ProcessMaker BPM and its integrations do not require Java, thus do not use the Spring Framework. Therefore, ProcessMaker BPM is not impacted by this vulnerability.
As a security measure, our team has conducted a full impact assessment since the vulnerability was initially documented, and we have found no component or service offered by ProcessMaker to be affected.
Components analyzed and identified as secure:
- ProcessMaker Cloud (Cloud Web Applications, RESTful APIs, API Gateways)
- ProcessMaker Web (Public Website)
- ProcessMaker Support (Zendesk)
- Backup Services (AWS Backup, AWS S3)
At this moment there are no components that were identified as vulnerable to the exploit.
We constantly monitor the response by security researchers to observe further discoveries of this vulnerability and others that may arrive. Further updates will be posted on this page as necessary.
By 6 PM ET, April 4th, 2022