SpringShell

SpringShell Vulnerability Status

April 19, 2022


Introduction

In April 2022, it became known that the Java application framework component Spring has severe security vulnerabilities, commonly known as SpringShell or Spring4Shell.

Some NEC products and solutions include a version of Spring which are known to be vulnerable. The vulnerabilities may be mitigated by various actions.

This page lists the known vulnerability status at time of writing and is intended to be useful to NEC partners and customers. It is updated as new information becomes known to NEC.

Background

See NVD - CVE-2022-22965 (nist.gov)

Product Matrix


Product
Vulnerability Status
Note

SL1000
SL1100
SL2100
Not Vulnerable
No Java

UNIVERGE SV8100
UNIVERGE SV9100
UNIVERGE Aspire X
UNIVERGE Aspire UX
UNIVERGE Aspire WX
Not Vulnerable
No Java

UNIVERGE SV8300
UNIVERGE SV9300
Not Vulnerable
No Java

UNIVERGE SV8500
UNIVERGE SV9500
Not Vulnerable
No Java

UNIVERGE 3C Unified Communication Manager (UCM)
Not Vulnerable
See the Notes section

SIP@Net
Not Vulnerable
No Java

UNIVERGE Integation Platform
Not Vulnerable
No Java

UNIVERGE Hybrid Workspace Management (UHM)
Not Vulnerable
No Java

UNIVERGE BLUE CONNECT
Not Vulnerable
No Java

UNIVERGE BLUE CONNECT BRIDGE
Not Vulnerable
No Java

UNIVERGE BLUE CONNECT ENGAGE
Not Vulnerable
No Java

UNIVERGE BLUE Smart Access
Not Vulnerable
Has Spring, but JDK 8 which is not vulnerable

UNIVERGE BLUE Monitor
Not Vulnerable
No Spring Framework

UNIVERGE Smart Guest Check-In (Kiosk)
Not Vulnerable
No Java

Front Desk Assistant
VULNERABLE
To mitigate, upgrade to Smart Access v3.1.0 or higher

NeoFace Watch FR
Not Vulnerable
No Java

UNIVERGE UC Connector
Not Vulnerable
No Java

UNIVERGE Business ConneCT (BCT)
Not Vulnerable
No Java

UC for Enterprise (UCE) Application Platform
Not Vulnerable
No Spring Framework

UC for Enterprise (UCE) Mobile Clients
Not Vulnerable
MC550 Android uses Spring, but none of the vulnerable libraries

UC for Enterprise (UCE) Attendant
Not Vulnerable
No Spring Framework

UC for Enterprise (UCE) Manager (MA4000)
Not Vulnerable
No Java

UC for Enterprise (UCE) IVR (QueWorX)
Not Vulnerable
No Java

Navigator MIS (Global Navigator)
Not Vulnerable
No Spring Framework

Expense Management
Not Vulnerable
No Java

TigerTMS
Not Vulnerable
No Java

SLC (uMobility)
Not Vulnerable
No Java

UNIVERGE Soft Client SP350
Not Vulnerable
No Java

MLC
Not Vulnerable
No Java

BizMLC
Not Vulnerable
No Java

uSN (MLC Managment Component)
Not Vulnerable
No Java

MyCalls
Not Vulnerable
No Java

MobiCall
Not Vulnerable
No Java

UNIVERGE IP Phone DT700
UNIVERGE IP Desktop Terminals DT700 Series
UNIVERGE IP Phone DT800
UNIVERGE IP Desktop Terminals DT800 Series
Not Vulnerable
No Java

UNIVERGE Digital Phone DT300
UNIVERGE Digital Desktop Terminals DT300 Series
UNIVERGE Digital Phone DT400
UNIVERGE Digital Desktop Terminals DT400 Series
Not Vulnerable
No Java

UNIVERGE DT200
Not Vulnerable
No Java

AT-15/AT-35/AT-40/AT-45
Not Vulnerable
No Java

IP DECT DAP Controller, InDECT, DMLS, AP400, Tools
Not Vulnerable
No Java

DECT Location Gateway, I766, G266, G566, M166, G277, G577, G577h
Not Vulnerable
No Java

Blueprint
Not Vulnerable
No Java

UG50
Not Vulnerable
No Java

MG-SIP, MCMG, VS32
Not Vulnerable
No Java

UNIVERGE UM4730
Not Vulnerable
No Spring Framework

UNIVERGE UM8700
Not Vulnerable
No Spring Framework

UNIVERGE UM8000
Not Vulnerable
No Spring Framework

UC Suite
Not Vulnerable
No Java

InMail
Not Vulnerable
No Java

LMS (License Management Service)
Not Vulnerable
No Java

LMC (License Management Client)
Not Vulnerable
No Java

NEC Meeting Center NMC
Not Vulnerable
No Java

UNIVERGE BX Series
Not Vulnerable
No Spring Framework

GT210
Not Vulnerable
No Java

GT890
Not Vulnerable
No Java

Tools for GT Series
Not Vulnerable
No Java

3C GT Phones
Not Vulnerable
No Java

UNIVERGE ST500
Not Vulnerable
No Java

InApps
Not Vulnerable
No Java

Express5800 Fault Tolerant Server (all 300 series)
Not Vulnerable
No Spring Framework

Express5800 General Purpose Server (all 100 series) Except for R120h-1M/2M
Under Investigation

Express5800 General Purpose Server R120h-1M/2M
Under Investigation

ESMPRO/ServerManager, ServerAgent
Not Vulnerable
No Spring Framework

Hyper Converged Infrastructure D120H
Under Investigation

Scale Computing HC3 (HCI)
Not Vulnerable
No Spring Framework

SR250 (HCI - Lenovo)
SR630 (HCI - Lenovo)
SR650 (HCI - Lenovo)
Not Vulnerable
No Spring Framework

Leostream (VDI)
Under Investigation

M720Q (Edge)
M80Q (Edge)
Under Investigation

HYDRAstor
Not Vulnerable
No Spring Framework

M Series Storage
Under Investigation

ExpressCluster R3 LAN
ExpressCluster R3 WAN
ExpressCluster R3 SAN
ExpressCluster R4.x
Not Vulnerable
No Spring Framework

VPCC v6.x
Not Vulnerable
No Spring Framework

US120f
Not Vulnerable
No Java

US320f
Not Vulnerable
No Java

NOE
Not Vulnerable
No Spring Framework

QX switches
Not Vulnerable
No Spring Framework

Masterscope NFA or Network Manager WebConsole on Linux
Not Vulnerable
No Spring Framework

PFC (ProgrammableFlow Controller)
Not Vulnerable
No Spring Framework

Notes for UNIVERGE 3C

UNIVERGE 3C is not vulnerable to Spring4Shell.

Neither UC Client nor the Mobile Clients include Spring Framework.

UCM versions v9.2.1.8 and v10.1.0.14 P2 each include Java with Spring Framework in three components (RIA Service, File Server and Web Admin). However, none of the Spring instances are vulnerable according to the criteria of CVE-2022-22965 (nist.gov):
  • UCM 9.2.1.8 has Spring versions 4.2.0, 2.0.8 and 4.2.3. None of them are affected versions.
  • UCE 10.1.0.14 P2 has Spring version 4.3.29, which is not an affected version; and version 5.2.15 without use of MVC or WebFlux, and therefore unaffected.