SpringShell

SpringShell Vulnerability Status

April 19, 2022

Introduction

In April 2022, it became known that the Java application framework component Spring has severe security vulnerabilities, commonly known as SpringShell or Spring4Shell.

Some NEC products and solutions include a version of Spring which are known to be vulnerable. The vulnerabilities may be mitigated by various actions.

This page lists the known vulnerability status at time of writing and is intended to be useful to NEC partners and customers. It is updated as new information becomes known to NEC.

Background

See NVD - CVE-2022-22965 (nist.gov)

Product Matrix

Product
Vulnerability Status
Note
SL1000
SL1100
SL2100
Not Vulnerable
No Java
UNIVERGE SV8100
UNIVERGE SV9100
UNIVERGE Aspire X
UNIVERGE Aspire UX
UNIVERGE Aspire WX
Not Vulnerable
No Java
UNIVERGE SV8300
UNIVERGE SV9300
Not Vulnerable
No Java
UNIVERGE SV8500
UNIVERGE SV9500
Not Vulnerable
No Java
UNIVERGE 3C Unified Communication Manager (UCM)
Not Vulnerable
See the Notes section
SIP@Net
Not Vulnerable
No Java
UNIVERGE Integation Platform
Not Vulnerable
No Java
UNIVERGE Hybrid Workspace Management (UHM)
Not Vulnerable
No Java
UNIVERGE BLUE CONNECT
Not Vulnerable
No Java
UNIVERGE BLUE CONNECT BRIDGE
Not Vulnerable
No Java
UNIVERGE BLUE CONNECT ENGAGE
Not Vulnerable
No Java
UNIVERGE BLUE Smart Access
Not Vulnerable
Has Spring, but JDK 8 which is not vulnerable
UNIVERGE BLUE Monitor
Not Vulnerable
No Spring Framework
UNIVERGE Smart Guest Check-In (Kiosk)
Not Vulnerable
No Java
Front Desk Assistant
VULNERABLE
To mitigate, upgrade to Smart Access v3.1.0 or higher
NeoFace Watch FR
Not Vulnerable
No Java
UNIVERGE UC Connector
Not Vulnerable
No Java
UNIVERGE Business ConneCT (BCT)
Not Vulnerable
No Java
UC for Enterprise (UCE) Application Platform
Not Vulnerable
No Spring Framework
UC for Enterprise (UCE) Mobile Clients
Not Vulnerable
MC550 Android uses Spring, but none of the vulnerable libraries
UC for Enterprise (UCE) Attendant
Not Vulnerable
No Spring Framework
UC for Enterprise (UCE) Manager (MA4000)
Not Vulnerable
No Java
UC for Enterprise (UCE) IVR (QueWorX)
Not Vulnerable
No Java
Navigator MIS (Global Navigator)
Not Vulnerable
No Spring Framework
Expense Management
Not Vulnerable
No Java
TigerTMS
Not Vulnerable
No Java
SLC (uMobility)
Not Vulnerable
No Java
UNIVERGE Soft Client SP350
Not Vulnerable
No Java
MLC
Not Vulnerable
No Java
BizMLC
Not Vulnerable
No Java
uSN (MLC Managment Component)
Not Vulnerable
No Java
MyCalls
Not Vulnerable
No Java
MobiCall
Not Vulnerable
No Java
UNIVERGE IP Phone DT700
UNIVERGE IP Desktop Terminals DT700 Series
UNIVERGE IP Phone DT800
UNIVERGE IP Desktop Terminals DT800 Series
Not Vulnerable
No Java
UNIVERGE Digital Phone DT300
UNIVERGE Digital Desktop Terminals DT300 Series
UNIVERGE Digital Phone DT400
UNIVERGE Digital Desktop Terminals DT400 Series
Not Vulnerable
No Java
UNIVERGE DT200
Not Vulnerable
No Java
AT-15/AT-35/AT-40/AT-45
Not Vulnerable
No Java
IP DECT DAP Controller, InDECT, DMLS, AP400, Tools
Not Vulnerable
No Java
DECT Location Gateway, I766, G266, G566, M166, G277, G577, G577h
Not Vulnerable
No Java
Blueprint
Not Vulnerable
No Java
UG50
Not Vulnerable
No Java
MG-SIP, MCMG, VS32
Not Vulnerable
No Java
UNIVERGE UM4730
Not Vulnerable
No Spring Framework
UNIVERGE UM8700
Not Vulnerable
No Spring Framework
UNIVERGE UM8000
Not Vulnerable
No Spring Framework
UC Suite
Not Vulnerable
No Java
InMail
Not Vulnerable
No Java
LMS (License Management Service)
Not Vulnerable
No Java
LMC (License Management Client)
Not Vulnerable
No Java
NEC Meeting Center NMC
Not Vulnerable
No Java
UNIVERGE BX Series
Not Vulnerable
No Spring Framework
GT210
Not Vulnerable
No Java
GT890
Not Vulnerable
No Java
Tools for GT Series
Not Vulnerable
No Java
3C GT Phones
Not Vulnerable
No Java
UNIVERGE ST500
Not Vulnerable
No Java
InApps
Not Vulnerable
No Java
Express5800 Fault Tolerant Server (all 300 series)
Not Vulnerable
No Spring Framework
Express5800 General Purpose Server (all 100 series) Except for R120h-1M/2M
Under Investigation
Express5800 General Purpose Server R120h-1M/2M
Under Investigation
ESMPRO/ServerManager, ServerAgent
Not Vulnerable
No Spring Framework
Hyper Converged Infrastructure D120H
Under Investigation
Scale Computing HC3 (HCI)
Not Vulnerable
No Spring Framework
SR250 (HCI - Lenovo)
SR630 (HCI - Lenovo)
SR650 (HCI - Lenovo)
Not Vulnerable
No Spring Framework
Leostream (VDI)
Under Investigation
M720Q (Edge)
M80Q (Edge)
Under Investigation
HYDRAstor
Not Vulnerable
No Spring Framework
M Series Storage
Under Investigation
ExpressCluster R3 LAN
ExpressCluster R3 WAN
ExpressCluster R3 SAN
ExpressCluster R4.x
Not Vulnerable
No Spring Framework
VPCC v6.x
Not Vulnerable
No Spring Framework
US120f
Not Vulnerable
No Java
US320f
Not Vulnerable
No Java
NOE
Not Vulnerable
No Spring Framework
QX switches
Not Vulnerable
No Spring Framework
Masterscope NFA or Network Manager WebConsole on Linux
Not Vulnerable
No Spring Framework
PFC (ProgrammableFlow Controller)
Not Vulnerable
No Spring Framework

Notes for UNIVERGE 3C

UNIVERGE 3C is not vulnerable to Spring4Shell.

Neither UC Client nor the Mobile Clients include Spring Framework.

UCM versions v9.2.1.8 and v10.1.0.14 P2 each include Java with Spring Framework in three components (RIA Service, File Server and Web Admin). However, none of the Spring instances are vulnerable according to the criteria of CVE-2022-22965 (nist.gov):
  • UCM 9.2.1.8 has Spring versions 4.2.0, 2.0.8 and 4.2.3. None of them are affected versions.
  • UCE 10.1.0.14 P2 has Spring version 4.3.29, which is not an affected version; and version 5.2.15 without use of MVC or WebFlux, and therefore unaffected.
Contact Us