Outage in Squiz

CVE-2022-22965 "Spring4Shell" Vulnerability

Resolved Maintenance

April 01, 2022 - Started about 2 years ago - Lasted 4 months
Official incident page

Need to monitor Squiz outages?
Stay on top of outages with IsDown. Monitor the official status pages of all your vendors, SaaS, and tools, including Squiz, and never miss an outage again.
Start Free Trial

Outage Details

Dear Squiz Customers, Squiz has been made aware of CVE-2022-22965, a vulnerability in the Spring Framework that is used in Java versions 9 and above. Java Version 9 and above is used in Funnelback versions 15.20 and above. Our Security, Product and Platform teams have reviewed the specific CVE and exploitation method, and have determined that Funnelback is currently not vulnerable; the exploit is dependent on the Tomcat application server, which is not used in the Funnelback application as deployed by Squiz. However this may change as further investigations are carried out by the Spring team. Matrix does not use Java and is not affected. As part of our security response, Squiz is currently developing network level mitigations for the known exploit path, which we will deploy to all Funnelback and Squiz hosted systems as soon as it is tested and passes review. Squiz will also provide details of those mitigation to customers who self host Funnelback solutions if requested. The Funnelback product team will also investigate product updates for affected Funnelback versions. Squiz will continue to monitor developments for CVE-2022-22965, and if you have any additional questions please don’t hesitate to get in touch with Squiz via email to support@squiz.net

Components affected

Squiz Cloud Hosted Instances

Latest Updates ( sorted recent to last )

IDENTIFIED about 2 years ago - at 04/01/2022 02:14AM

Dear Squiz Customers,
Squiz has been made aware of CVE-2022-22965, a vulnerability in the Spring Framework that is used in Java versions 9 and above. Java Version 9 and above is used in Funnelback versions 15.20 and above.

Our Security, Product and Platform teams have reviewed the specific CVE and exploitation method, and have determined that Funnelback is currently not vulnerable; the exploit is dependent on the Tomcat application server, which is not used in the Funnelback application as deployed by Squiz. However this may change as further investigations are carried out by the Spring team. Matrix does not use Java and is not affected.

As part of our security response, Squiz is currently developing network level mitigations for the known exploit path, which we will deploy to all Funnelback and Squiz hosted systems as soon as it is tested and passes review. Squiz will also provide details of those mitigation to customers who self host Funnelback solutions if requested. The Funnelback product team will also investigate product updates for affected Funnelback versions.

Squiz will continue to monitor developments for CVE-2022-22965, and if you have any additional questions please don’t hesitate to get in touch with Squiz via email to support@squiz.net

Latest Squiz outages

Squiz Cloud Incident - 8th April 2024 - 12 days ago

Newbury DC have 23 paused VMs - 13 days ago

Major Incident - Squiz Cloud Customers EU - Ash Datacenter - 2 months ago

Major Incident - Funnelback SaaS (UK only) - 3 months ago

Major Incident - Squiz Cloud Customers EU - 30.11.2023 - 5 months ago

The easiest way to monitor Squiz and all cloud vendors

With IsDown, you can monitor all your critical services' official status pages from one centralized dashboard and receive instant alerts the moment an outage is detected. Say goodbye to constantly checking multiple sites for updates and stay ahead of outages with IsDown.

Start free trial

No credit card required · Cancel anytime · 3153 services available

Integrations with Slack Microsoft Teams Google Chat Datadog PagerDuty Zapier Discord Webhook