Dear Ladies and gentlemen, From the current perspective, there is no urgent need for action with MOA-ID E-ID Proxy concerning the 'Spring4Shell' vulnerabilities CVE-2022-22965. Although the corresponding library is included in the MOA-ID E-ID Proxy, the MOA-ID E-ID Proxy is not affected by CVE-2022-22965 from a current perspective because not all of the conditions required for an attack are applied. In detail, the MOA-ID E-ID Proxy uses the @RequestMapping annotation but no @ModelAttribute annotation to process the request parameters. According to the Spring-MVC documentation, all parameters…

Dear Ladies and gentlemen, From the current point of view, there is no urgent need for action at MOA-SPSS with regard to the log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046. In detail, the problematic component for CVE-2021-44228 is in the logger backend implementation of log4j and thus in the file "log4j-core-xxx.jar", whereby all versions between 2.0.0 and <2.16.0 are affected. This does not affect, for example, the log4j API "log4j-api-xxx.jar", since it only provides the interface but no implementation, or log4j bridges, such as "log4j-to-slf4j-xxx.jar", as this only provides one…