SECURITY
Publish Date: April 6, 2022
Version: 1.1
The UiPath Security and Product Engineering teams have been performing an exposure analysis of the Spring4Shell vulnerability, categorized as CVE-2022-22965 on the UiPath products.,This post details our progress to date. Note that our assessment of products and services has been completed for the listed CVEs. We plan to update this page as material information becomes available. Our aim is to enable our customers to quickly mitigate risks to their security posture.
1. The following constitute our findings to date:
The following products contain the vulnerable Spring Framework libraries but have no known risk because exploitation is already mitigated in these products.
UiPath will update these products in a future release.
AI Center
Automation Suite
Cloud Elements
Insights
Test Manager
2. Services in UiPath’s Automation Cloud that contained the vulnerable Spring Framework libraries have already been updated to fully remediate the vulnerability. Please note there was no known risk due to mitigation associated with these services.
3. The following products, both cloud service and the on-premises versions, do not contain the vulnerable Spring Framework libraries and have no known risk at this time:
Studio (all types), Assistant, Robot (all types including AI Robots, Cloud Robots, etc.). All extensions packaged with Studio (browser extensions, etc.)
All UiPath Activity Packages published to the UiPath Official Feed
Orchestrator
Automation Hub (including Task Capture)
Data Service
Task Mining
Process Mining
Automation Ops
Action Center
Apps
High Availability Add-on (HAA)