Morpheus’ CSIRT has evaluated CVE-2022-22965, also known as Spring4Shell, and CVE-2022-22963, both Spring products but unrelated. Morpheus is not affected by either of these vulnerabilities . Spring4Shell under CVE-2022-22965 requires the annotation @RequestMapping when using Spring Beans before 5.2.20. Morpheus uses Grails instead of SpringMVC for request handling, which does not require the @RequestMapping annotations. An update for 5.4.4 is coming that updates the Spring Beans version to 5.2.20; we are doing this to reduce the noise from security scanners.
Due to a Spring framework upgrade requirement, Morpheus cannot update Spring Beans in our 5.2.x release. As stated above, Morpheus is not vulnerable to Spring4Shell.
For CVE-2022-22963, related to Spring Cloud Function is not used in Morpheus and therefore does not apply to our product.
Morpheus continues to monitor the situation and take the necessary actions as needed.
Thank you,
The Morpheus Team