Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

It was recently confirmed that Spring4Shell has at least one RCE vulnerability in the Spring framerwork. Investigation is still in progress, and you can expect updates as analyses get completed. So far ( 21:00 CET) we point to these sources:


Is Kantega SSO Enterprise affected?

Kantega SSO Enterprise is built with JDK 8 packaged as a .jar, and we do not use spring-core, spring-webmvc or spring-webflux. From our intital analyses, Kantega SSO Enterprise is not affected by Spring4Shell CVE-2022-22965.

Is my Atlassian Data Center / Server system affected?


We recommend running package scans on your system to start analyzing and consult with your security team whether any packages are insecure, and keep following updates on the CVE and Spring’s documentation for updates about more attack vectors as well as updates from Atlassian’s security team. Keep checking for important security updates on your system.
Stay tuned for Atlassian’s public security advisories, which are usually posted here: https://confluence.atlassian.com/security/articles-951406100.html, and their FAQ’s which are usually posted here: https://confluence.atlassian.com/kb/atlassian-knowledge-base-179443510.html

These are the requirements for being vulnerable from the specific scenario from the Spring report (as of 20:30 CET):

  • Running JDK 9 or higher

  • Apache Tomcat as the Servlet container

  • Packaged as WAR

  • spring-webmvc or spring-webflux dependency:

    • Uses Spring MVC (5.3.15 and at least down to 4.3.0, possibly further)

  • Endpoint using @RequestMapping, aka. Spring parameter binding

  • Request parameter is of type object which maps to a POJO

    • Vulnerable: @NotNull DataObject data

    • Not vulnerable: @NotNull String string

Changelog

  • Rewrite general advice 20:50 CET

  • Initial publication 20:30 CET

  • No labels