It was recently confirmed that Spring4Shell has at least one RCE vulnerability in the Spring framerwork.
...
VMWare has published a CVE under CVE-2022-22965.
...
You can read Spring’s public announcements here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement.
...
Investigation is still in progress, and you can expect updates as analyses get further.
Is Kantega SSO Enterprise affected?
Kantega SSO Enterprise is built with JDK 8 packaged as a .jar
, and we do not use spring-core
, spring-webmvc
or spring-webflux
. From our intital analysesanalysis (), Kantega SSO Enterprise is not affected by Spring4Shell CVE-2022-22965.
Is my Atlassian Data Center / Server system affected?
We recommend running package scans on your system to start analyzing and consult consulting with your security team whether any packages are insecure, and keep following updates on the CVE and Spring’s documentation for updates about more attack vectors, as well as updates and announcements from Atlassian’s security team. Keep checking for important security updates available on your system.
Stay tuned for Atlassian’s public Atlassian has published security advisories , which are usually posted here: https://confluence.atlassian.com/security/articles-951406100.html, and their FAQ’s which are usually posted here: https://confluence.atlassian.com/kb/atlassian-knowledge-base-179443510.html kb/faq-for-cve-2022-22963-cve-2022-22965-1115149136.html.
These are the requirements for being vulnerable from the specific scenario from the Spring report (as of 20:30 CET):
Running JDK 9 or higher
Apache Tomcat as the Servlet container
Packaged as WAR
spring-webmvc or spring-webflux dependency:
Uses Spring MVC (5.3.15 and at least down to 4.3.0, possibly further)
Endpoint using @RequestMapping, aka. Spring parameter binding
Request parameter is of type object which maps to a POJO
Vulnerable: @NotNull DataObject data
Not vulnerable: @NotNull String string
...
Sources
Atlassian announcement:https://confluence.atlassian.com/kb/faq-for-cve-2022-22963-cve-2022-22965-1115149136.html
VMWare has published a CVE under CVE-2022-22965.
You can read Spring’s public announcements here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement.
There is another article with in-depth analysis on how to test and patch for the weakness here: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/.
Info |
---|
Changelog
|
...