On April 1, 2022, Intershop security and engineering teams received the first alerts regarding the Spring4Shell vulnerability (CVE-2022-22963 and CVE-2022-22965). First investigations, show that it is not the Spring Java Framework is not used within our Core Software. Additional investigations are ongoing to determine whether third party software utilize or contain the Spring Java Framework.
April 4, 2002: The current investigation has not found the Spring Java Framework to be present within our Core Software, micro-services or third party software. We urge our clients to establish communications with their customization partners, to ensure that they are aware of this issue and follow the recommended guidelines if they introduced the Spring Java Framework.
5th April, 2022: The investigation into this vulnerability has concluded that Intershop’s software, systems and productions environment are not affected. We will continue monitoring for any potential issues or anomalous behavior, but we consider this issue closed.
On the 22nd of April, 2022, Intershop security and engineering teams became aware of a vulnerability within the Java implementation of ECDSA Signatures (multiplying by zero is as bad as dividing by zero). Elliptic Curve Digital Signature Algorithm (ECDSA) is commonly used as an data authentication mechanism, such as, as part of the security handshake. We are currently assessing the impact that this mechanism has on our software and our systems in production.
April 26, 2022: We are in the process of auditing all operational containers to determine, if any are currently using the affected versions of Java. We will continue updating this page as more information becomes available.