Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

It was recently confirmed that Spring4Shell has at least one RCE vulnerability in the Spring framerwork. VMWare has published a CVE-2022-22965:https://tanzu.vmware.com/security/cve-2022-22965.
You can read Spring’s public announcements here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement. There is another article with in-depth analysis on how to test and patch for the weakness here: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/Investigation is still in progress, and you can expect updates as analyses get further.


Is Kantega SSO Enterprise affected?

Kantega SSO Enterprise is built with JDK 8 packaged as a .jar, and we do not use spring-core, spring-webmvc or spring-webflux. From our intital analysesanalysis (), Kantega SSO Enterprise is NOT not affected by Spring4Shell CVE-2022-22965.

Is my

...

Atlassian

...

Data Center / Server system affected?


You should await advice from Atlassian on how to mitigate in your scenario or consult your own security team. If you run package scans on your system, you will likely find some Spring packages. Whether your system is vulnerable will likely depend on what version of Jira/Confluence/Bitbucket you’re running, and likely also what JVM version you’re running in your system. You should keep We recommend consulting with your security team and keep following updates on the CVE and Spring’s documentation for updates about more attack vectors, as well as updates and announcements from Atlassian’s security team. Keep checking for important security updates of your Atlassian host systems. If you have questions about this, please refer to Atlassian support for assistance: https://support.atlassian.com/, or await their public security advisoriesavailable on your system.
Atlassian has published security advisories here: https://confluence.atlassian.com/security/articles-951406100.html and FAQ’s: https://confluence.atlassian.com/kb/atlassian-knowledge-base-179443510.html kb/faq-for-cve-2022-22963-cve-2022-22965-1115149136.html.

These are the requirements for being vulnerable from the specific scenario from the Spring report (as of 20:30 CET):

  • Running JDK 9 or higher

  • Apache Tomcat as the Servlet container

  • Packaged as WAR

  • spring-webmvc or spring-webflux dependency:

    • Uses Spring MVC (5.3.15 and at least down to 4.3.0, possibly further)

  • Endpoint using @RequestMapping, aka. Spring parameter binding

  • Request parameter is of type object which maps to a POJO

    • Vulnerable: @NotNull DataObject data

    • Not vulnerable: @NotNull String string

...


Sources

Info

Changelog

  • Add link to Atlassian documentation 19.30 CET

  • Rewrite general advice 20:50 CET

  • Initial publication 20:30 CET