On March 31, 2022 it was announced that the popular Java framework, Spring, was vulnerable to a remote code execution (RCE) vulnerability (CVE-2022-22965).

Is Tealium at risk?

No. Tealium information security reviewed our codebase and found that we were not vulnerable to the RCE.

What is Tealium’s response? 

Tealium is monitoring the situation in case additional information is released regarding CVE-2022-22965. Furthermore, as indicators of compromise and defensive recommendations are released we will be updating our posture to secure our systems and data processing networks to mitigate any new threats.

What do customers need to do? 

Nothing needs to be done in relation to the use of Tealium’s services. Customers may continue to use Tealium’s services normally. 

Will Tealium keep customers informed? 

We will invoke our Incident Response processes and notify affected customers if additional information is released and our status changes.

If you have any questions or concerns, please contact your customer management team. 

Compliance, Governance and Audits 

As a reminder, Tealium agrees to comply with its obligations under applicable laws and regulations, including those related to data security and privacy. See Tealium’s terms at tealium.com/terms CPP: 2. Data Processing. 

Tealium has an Information Security and Privacy Management System (“ISPMS”) that defines the implementation of our ISPMS program. The ISPMS program has executive oversight by the ISPMS Governance Council that meets quarterly. 

Tealium certifies annually to the following frameworks:

SOC2 Type 2 

ISO/IEC 27001:2013 

ISO/IEC 27018:2019 - Security in the Cloud enhancements to 27001 

ISO/IEC 27701:2019 - Privacy enhancements to 27001 

Health Insurance Portability and Accountability Act (“HIPAA”) 

Security Related Training  

Tealium’s employees must complete annual Information Security Awareness training to ensure everyone at Tealium understands the role and responsibility in the Security of Tealium and our Services. 

Tealium’s Operations staff undergo extended training on security and HIPAA requirements to ensure their understanding of the additional controls in place as well as the privacy impacts of handling Protected Health Information (PHI). 

Tealium’s Developers are trained in secure coding practices and compliance with at least the OWASP Top 10 and SANS Top 25 Most Dangerous Programming Errors. 

References

• https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement 
• https://tanzu.vmware.com/security/cve-2022-22965