On Thursday, March 31st, 2022, the Egnyte Security Team was made aware of a vulnerability in the common Java frameworks, Spring MVC and Spring WebFlux. The vulnerability was assigned CVE-2022-22965.
Upon learning about this vulnerability and its potential impact, Egnyte immediately triggered our incident response process to identify if and where the Egnyte platform uses the vulnerable library across its products and infrastructure.
Here is the status breakdown for Egnyte Products:
- Storage Sync - Not affected
- Desktop App - Not affected
- Mobile Apps - Not affected
- Egnyte Platform (Connect + Secure & Govern) - Not affected
- EgnyteGov - Not affected
- Site Connector - Not affected
- Internal infrastructure - Not affected
- Turbo/Smart Cache - Not affected
In addition to patching our products and infrastructure, Egnyte has reviewed all relevant historical logs and monitoring systems to confirm whether or not the vulnerability was already exploited against our products or infrastructure.
We have not detected any successful exploitation attempts, and our security team continues to monitor the situation actively.
We continue to investigate these vulnerabilities and stay updated with community research. This page may be updated as needed.