UiPath Security Advisory Spring4Shell (CVE-2022-22965)

Publish Date: April 6, 2022

Version: 1.1

The UiPath Security and Product Engineering teams have been performing an exposure analysis of the Spring4Shell vulnerability, categorized as CVE-2022-22965 on the UiPath products.,This post details our progress to date. Note that our assessment of products and services has been completed for the listed CVEs. We plan to update this page as material information becomes available. Our aim is to enable our customers to quickly mitigate risks to their security posture.

1. The following constitute our findings to date:

The following products contain the vulnerable Spring Framework libraries but have no known risk because exploitation is already mitigated in these products.

UiPath will update these products in a future release.

  • AI Center

  • Automation Suite

  • Cloud Elements

  • Insights

  • Test Manager

2. Services in UiPath’s Automation Cloud that contained the vulnerable Spring Framework libraries have already been updated to fully remediate the vulnerability. Please note there was no known risk due to mitigation associated with these services.

3. The following products, both cloud service and the on-premises versions, do not contain the vulnerable Spring Framework libraries and have no known risk at this time:

Studio (all types), Assistant, Robot (all types including AI Robots, Cloud Robots, etc.). All extensions packaged with Studio (browser extensions, etc.)

All UiPath Activity Packages published to the UiPath Official Feed

  • Orchestrator

  • Automation Hub (including Task Capture)

  • Data Service

  • Task Mining

  • Process Mining

  • Automation Ops

  • Action Center

  • Apps

  • High Availability Add-on (HAA)