BlackLine Home page BlackLine home page
Solutions
Solutions
Financial Close Management
Financial Close Management
Overview
Overview
Account Reconciliations
Account Reconciliations
Task Management
Task Management
Transaction Matching
Transaction Matching
Journal Entry
Journal Entry
Financial Reporting Analytics
Financial Reporting Analytics
Variance Analysis
Variance Analysis
Smart Close for SAP
Smart Close for SAP
Accounts Receivable Automation
Accounts Receivable Automation
Overview
Overview
Cash Application
Cash Application
Credit & Risk Management
Credit & Risk Management
Collections Management
Collections Management
Disputes & Deductions
Disputes & Deductions
Team & Task Management
Team & Task Management
AR Intelligence
AR Intelligence
Intercompany Financial Management
Intercompany Financial Management
Overview
Overview
Intercompany Non-Trade
Intercompany Non-Trade
Intercompany Balance & Resolve
Intercompany Balance & Resolve
Intercompany Net & Settle
Intercompany Net & Settle
By Organization Size
By Organization Size
Midsize Organizations
Midsize Organizations
Large Enterprises
Large Enterprises
By Industry
By Industry
Banking & Financial Services
Banking & Financial Services
Consumer Products & Services
Consumer Products & Services
Energy & Raw Materials
Energy & Raw Materials
Healthcare & Life Sciences
Healthcare & Life Sciences
Manufacturing
Manufacturing
Retail
Retail
Technology, Media & Communications
Technology, Media & Communications
See All Industries
By ERP
By ERP
SAP
SAP
Oracle
Oracle
Oracle NetSuite
Oracle NetSuite
Microsoft Dynamics
Microsoft Dynamics
See All ERPs
By Topic
By Topic
Environmental, Social, and Governance
Environmental, Social, and Governance
Recruiting & Retaining Top Talent
Recruiting & Retaining Top Talent
Enabling an ERP Transformation
Enabling an ERP Transformation
CFO & CIO Collaboration
CFO & CIO Collaboration
F&A Transformation
F&A Transformation
IPO Readiness
IPO Readiness
Mergers & Acquisitions
Mergers & Acquisitions
Revenue Cycle Optimization
Revenue Cycle Optimization
Regulatory Compliance
Regulatory Compliance
Customers
Customers
Customer Success
Success Stories
Success Stories
Community
Community
Services
Services
Overview
Overview
Professional Services
Professional Services
Training & Education
Training & Education
Customer Success
Customer Success
Transformation Services
Transformation Services
Global Support
Global Support
Resources
Resources
Events
Events
Upcoming Webinars
Upcoming Webinars
On-Demand Webinars
On-Demand Webinars
White Papers
White Papers
Blog
Blog
Accounting Glossary
Accounting Glossary
Developer Portal
Developer Portal
About
About
Company
Company
About BlackLine
About BlackLine
Leadership
Leadership
Diversity, Equity & Inclusion
Diversity, Equity & Inclusion
Environmental, Social & Governance
Environmental, Social & Governance
In the News
In the News
Press Releases
Press Releases
Investors
Investors
Awards & Recognition
Awards & Recognition
Careers
Careers
Partners
Partners
Consulting Alliances
Consulting Alliances
Solution Provider Partners
Solution Provider Partners
Software & Cloud Partners
Software & Cloud Partners
Business Process Outsourcers
Business Process Outsourcers

Security

Spring Framework “Spring4Shell” Vulnerabilities (CVE-2022-22963 & CVE-2022-22965)

Update from BlackLine Information Security (as of 4/4/2022) 

The BlackLine Platform does not utilize the Java Spring Framework, and thus has not been impacted by the recently disclosed Spring Framework “Spring4Shell” vulnerabilities (CVE-2022-22963 & CVE-2022-22965). Additionally, there have been no identified indicators of compromise otherwise within BlackLine’s internal environments to date. 

BlackLine's operational and security teams continue to actively monitor these vulnerabilities and are further investigating and validating mitigations of these vulnerabilities within its internal environments in accordance with current guidance from both trusted industry partners and public sector experts. 

FAQs (as of 4/4/2022)

Q: Have client instances of the BlackLine Platform been vulnerable to the Spring Framework “Spring4Shell” vulnerabilities (including prior to their disclosure)?

A: Based on analysis performed by BlackLine as of 4/4/2022, client instances of the BlackLine Platform have not been vulnerable to the Spring4Shell vulnerabilities, as BlackLine does not maintain external-facing components that utilize the Java Spring Framework as part of its hosted service. 

Q: If the Spring Framework is used elsewhere in BlackLine's internal environments, have applicable components since been upgraded to a known secure version (5.3.18 or 5.2.20) and/or have older versions had vendor-recommended secure configurations implemented?

A: Yes / In-Progress – BlackLine's operational and security teams, in coordination with its trusted security and technology partners, continue to investigate and validate any identified instances of the Spring Framework used internally or within third-party software are appropriately mitigated to address both CVE-2022-22963 and CVE-2022-22965. 

Such appropriate mitigations can include: 

  • Patching to a known secure version of the Spring Framework (i.e., 5.3.18 or 5.2.20)

  • Upgrading Apache Tomcat to a known secure version (i.e., 10.0.20, 9.0.62, or 8.5.78)

  • Downgrading to Java 8 (if not able to patch either the Spring Framework or Apache Tomcat)

  • Enforce secure configuration of DisallowedFields on the WebDataBinder


Q: Are there any critical vendors in your supply chain that have been impacted by the Spring Framework “Spring4Shell” vulnerabilities and pose a threat to the BlackLine Platform as a result?

A: Based on analysis of its supply chain risk performed by BlackLine’s Information Security GRC team with information available as of 4/4/2022, BlackLine has not identified any critical vendors or subservice organizations that have been impacted by the Spring4Shell vulnerabilities and pose a threat to the BlackLine Platform as a result.


Q: What other risk prevention activities is BlackLine taking, specific to the Spring Framework “Spring4Shell” vulnerability advisories (CVE-2022-22963 and CVE-2022-22965)?

A: In accordance with industry guidance and best practices, BlackLine’s Security Operations team has been actively intaking and reviewing IOCs as made available from trusted sources, and scanning for such IOCs with the following detective and preventative tools:

  • Firewalls

  • Endpoint Protection 

  • Intrusion Detection System

  • SIEM

  • WAF

No known IOCs have been identified to date. BlackLine's security personnel will continue monitoring this vulnerability and any new information to ensure that all applicable risks are appropriately mitigated.

BlackLine will promptly communicate any pertinent updates to the above status on BlackLine's Trust site. Please contact BlackLine Support if you have any additional questions or concerns. 

BlackLine is committed to notifying you of security vulnerabilities affecting you or our platform. We will publish security advisories here.

BlackLine will never ask you for your password. Do not give out your user credentials or login information to anyone. If you have any issues with your password or logging into your application, you may reset your password from the login page, or contact your BlackLine System Admin. If you are still having trouble accessing your BlackLine instance, contact Support. If you suspect a security threat or vulnerability, please submit a report to our Information Security team at security@blackline.com.