Published: 09:00 CET 19/04/2022
Latest update: 09:00 CET 19/04/2022

What is the Spring Framework?

The Spring Framework is a popular Java application framework that is commonly deployed using a servlet container such as Apache Tomcat. The Spring Framework provides a comprehensive programming and configuration architecture for modern Java-based corporate applications on any deployment platform.

What is the Spring4Shell Security Exposure?

Spring4Shell is a zero-day vulnerability in the Spring Framework which under some circumstances allows for remote code execution (RCE), if exploited by an attacker. The vulnerability is identified and tracked as CVE-2022-22965, and is rated as “critical”, with a CVSS score of 9.8/10.

How Can You Determine If You Are Exposed?

Data binding may expose a Spring MVC or Spring WebFlux application running on JDK 9+ to remote code execution (RCE). The application must operate on Tomcat as a WAR deployment to be exploited. The program is not vulnerable to the attack if it is deployed as a Spring Boot executable jar, which is the default. The vulnerability’s nature, though, is more generic, and there may be additional methods to attack it.

The following are requirements for the exploit:

  • JDK 9 or above
  • The Servlet container is Apache Tomcat.
  • WAR is the package format
  • Dependency on spring-webmvc or spring-webflux

How Can You Mitigate This Issue?

Users of impacted versions should upgrade to version 5.3.18+, and users of version 5.2.x should upgrade to version 5.2.20+. No further action is required.

What Are TECHNIA Doing About This?

We have analyzed all TECHNIA Software offerings and, according to presently available information, we do not believe our products are vulnerable to Spring4Shell exploitation. We will, however, continue to actively monitor and analyze the situation as new information becomes available.

  • We have determined that we do not have any direct dependencies to affected versions
  • We are reviewing all ongoing consulting engagements and have not identified any dependencies to affected versions
  • We are working with our partners to coordinate our investigation and potential mitigation efforts

Should you have any specific inquiries about this topic, please contact us at [email protected] | Updates will be posted to this page as additional information becomes available.

What Are Dassault Systèmes Doing About This?

Dassault Systèmes has released a statement to vendors regarding the Spring4shell Security Exposure.

What Are Atlassian Doing About This?

Atlassian has released a statement regarding the Spring4Shell Security Exposure:

“CVE-2022-22963 is a vulnerability in the Spring Cloud Function package and is unrelated to the subsequently published CVE-2022-22965. Atlassian cloud instances and on-premises products are not vulnerable to any known exploit for CVE-2022-22963.”

Latest Updates

Spring have released a statement with information on mitigations and links to updated versions of the affected components.

For more information, and to stay up to date on this issue, please refer to our security partners, Truesec.

Vorherige
PLM für Life Science: 5 Vorteile von digitalen Lösungen im Gesundheitswesen
Weiter
Wie man mit PLM nachhaltige Verpackungen entwickelt
Kurzberatung

Buchen Sie noch heute einen Termin und gehen Sie mit einem PLM-Experten direkt ins Gespräch.

  • Kostenlose Beratung von Experten
  • Zeitliche Flexibilität: Passen Sie die Beratung an Ihren Zeitplan an
  • Keine lästigen Anfahrtswege – bequem von Ihrem Ort der Wahl
Bleiben Sie mit dem TECHNIA Newsletter up to date und erhalten Sie regelmäßige Informationen zu:
  • Aktuellen Produkten und Dienstleistungen
  • Die neuesten Software Updates
  • Kommende Aktionen
  • Aktuelle Webinare & Events

Jetzt anmelden

Webinare und Webinare on Demand

Tauchen Sie ein in die Welt der IT! In unseren aktuellen und aufgezeichneten Webseminaren (WoD) lernen Sie von erfahrenen Beratern mehr über PLM und CAD.

  • Kompetentes Wissen zu aktuellen IT-Themen von erfahrenen Beratern
  • Einfaches Erlernen von Anwendungen und Software Produkten
  • Verständlich und fachmännisch erklärt