A vulnerability CVE-2022-22965, has been detected in VMware Spring for Java versions 9 and later.
All currently supported versions of Squash TM (1.22.X, 2.X and 3.X) are compiled in Java 8. The core of Squash is therefore not directly impacted.
However, to avoid any risk of exploitation of the flaw when the execution server used to run Squash TM is later than Java 9, corrective versions have been released for all supported versions. They include the disallowed fields proposed by Spring.
The corrective versions are the following:
Note also that the docker images will be available in the coming days
This patch requires only the update of the application, the database is not impacted.
This vulnerability does not impact the installations of Squash AUTOM/DEVOPS or Xsquash (Cloud, Server and Data Center).