On Thursday 31 March 2022 VMWare published CVE-2022-22965 describing a vulnerability in Spring. Since that time we have had a number of customers contacting our Support Team to ask if Chocolatey products are vulnerable.
VMWare provide Spring, a very popular Java based library for more quickly developing Java-based applications. The CVE VMWare published identified an issue in the Spring MVC and Spring WebFlux features of versions 5.3.0 to 5.3.17 and 5.2.0 to 5.2.19, while older, unsupported versions of Spring are also affected.
Are Chocolatey Products Affected?
Chocolatey products do not run on, or use, Java and do not use the Spring library. The Chocolatey For Business products below are therefore NOT vulnerable:
- Chocolatey CLI
- Chocolatey Licensed Extension
- Chocolatey Agent
- Chocolatey GUI
- Chocolatey GUI Licensed Extension
- Chocolatey Central Management
While we call out the above Chocolatey For Business products specifically, no Chocolatey products, business or open-source, use the Spring library and are therefore NOT vulnerable.
Chocolatey For Business Quick Deployment Environment (QDE)
Our Quick Deployment Environment enables customers to get up and running with Chocolatey For Business in as little as 20 minutes. We provide this in Azure and also as a Quick Start Guide. In the past we have also provided this as a virtual machine image that you can import into your hypervisor of choice.
Whatever flavour of QDE you have, it has three components which we have confirmed are NOT vulnerable.
Sonatype Nexus Repository OSS
Sonatype have confirmed that Nexus uses the logback logging library and not Spring and is therefore not vulnerable. Sonatype provides more information on it’s website.
The Jenkins team have confirmed that Jenkins Core does not use the Spring library and they provide more information on their website.
Chocolatey Central Management
As confirmed above, Chocolatey Central Management does not run on, or use, Java and is therefore NOT vulnerable.
The most common repository managers used with Chocolatey are Sonatype Nexus and JFrog Artifactory and we recommend both of those products to customers. While we have confirmed that Sonatype Nexus is not vulnerable above, we wanted to confirm JFrog Artifactory is also NOT vulnerable.
We hope this post answers your question as to whether Chocolatey products are vulnerable. However, if you are a Chocolatey For Business customer and have more questions, please reach out to our Support Team as normal. You can find out your options on how to do so by running
choco support from the command line.