It was recently confirmed that Spring4Shell has at least one RCE vulnerability in the Spring framerwork. VMWare has published a CVE-2022-22965:https://tanzu.vmware.com/security/cve-2022-22965.
You can read Spring’s public announcements here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement. There is another article with in-depth analysis on how to test and patch for the weakness here: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/.
Is Kantega SSO Enterprise affected?
Kantega SSO Enterprise is built with JDK 8, and we do not use spring-core
, spring-webmvc
or spring-webflux
. From our intital analyses, Kantega SSO Enterprise is NOT affected by Spring4Shell.
All we can find in our scans is provided dependencies in our bundle originating from the Jira Core package and other Atlassian packages, which means that other components in the Atlassian host system might be affected it some cases. We do not have an overview to give on this, and you will have to wait for Atlassian’s own security advisory documents.
Is my (Atlassian) Data Center / Server system affected?
You should await advice from Atlassian on how to mitigate in your scenario or consult your own security team. If you run package scans on your system, you will likely find some Spring packages. Whether your system is vulnerable will likely depend on what version of Jira/Confluence/Bitbucket you’re running, and likely also what JVM version you’re running in your system. You should keep checking for important security updates of your Atlassian host systems. If you have questions about this, please refer to Atlassian support for assistance: https://support.atlassian.com/, or await their public security advisories: https://confluence.atlassian.com/security/articles-951406100.html and FAQ’s: https://confluence.atlassian.com/kb/atlassian-knowledge-base-179443510.html
These are the requirements for the specific scenario from the Spring report (as of 20:30 CET):
Running JDK 9 or higher
Apache Tomcat as the Servlet container
Packaged as WAR
spring-webmvc or spring-webflux dependency:
Uses Spring MVC (5.3.15 and at least down to 4.3.0, possibly further)
Endpoint using @RequestMapping, aka. Spring parameter binding
Request parameter is of type object which maps to a POJO
Vulnerable: @NotNull DataObject data
Not vulnerable: @NotNull String string
Changelog
Initial publication 20:30 CET