Recently, security researchers identified three remote code execution (RCE) vulnerabilities related to the Spring Framework (CVE-2022-22965, CVE-2022-22963, CVE-2022-22947). In addition, there is a fourth DoS vulnerability with Spring that has medium criticality, CVE-2022-22950.
Since these issues were first discovered, Udemy’s Security team has been working diligently to review and protect Udemy’s systems. At this point, there are no indicators that these vulnerabilities have negatively affected any company or personal data.
For high-risk, high-impact vulnerabilities such as these, our teams take a number of immediate steps, including testing to confirm levels of vulnerability, restricting network connections, and applying software or system updates or workarounds where necessary. Our Security and Engineering teams will monitor our environment, critical sub-processors, and vendors for instances of these vulnerabilities, attempted attacks, and notices from our contracted third parties.
As we obtain additional information, we will provide updates through this page. Our Security team is working diligently to ensure our systems are safeguarded as security researchers’ recommendations evolve, so we’re currently unable to provide custom responses. For detailed information on our response approach, please refer to the frequently asked questions below.
Have you updated to a safer version of Spring Framework?
In each case where vulnerable versions of Spring Framework or related offerings were previously in use, we undertake careful remediation efforts, such as upgrading to a recommended newer version or implementing recommended workarounds. We have also adjusted our layered defenses to protect our systems more globally.
When will the remediation be complete?
Udemy’s Security team is monitoring recommendations from security experts and vendors as the Spring Framework vulnerabilities attack patterns evolve, and our remediation and mitigation efforts will continue as these recommendations are shared.
Has customer data been compromised?
At this point, there are no indicators that this vulnerability has negatively affected any company or personal data.
Are you asking third-party vendors used in your environment about the impact of Spring Framework on them?
Udemy has reached out to key Udemy Business subprocessors, and we apply updates to tooling as our vendors release them.