Table of contents

Published: 09:00 CET 19/04/2022
Latest update: 09:00 CET 19/04/2022

What is the Spring Framework?

The Spring Framework is a popular Java application framework that is commonly deployed using a servlet container such as Apache Tomcat. The Spring Framework provides a comprehensive programming and configuration architecture for modern Java-based corporate applications on any deployment platform.

What is the Spring4Shell Security Exposure?

Spring4Shell is a zero-day vulnerability in the Spring Framework which under some circumstances allows for remote code execution (RCE), if exploited by an attacker. The vulnerability is identified and tracked as CVE-2022-22965, and is rated as “critical”, with a CVSS score of 9.8/10.

How Can You Determine If You Are Exposed?

Data binding may expose a Spring MVC or Spring WebFlux application running on JDK 9+ to remote code execution (RCE). The application must operate on Tomcat as a WAR deployment to be exploited. The program is not vulnerable to the attack if it is deployed as a Spring Boot executable jar, which is the default. The vulnerability’s nature, though, is more generic, and there may be additional methods to attack it.

The following are requirements for the exploit:

  • JDK 9 or above
  • The Servlet container is Apache Tomcat.
  • WAR is the package format
  • Dependency on spring-webmvc or spring-webflux

How Can You Mitigate This Issue?

Users of impacted versions should upgrade to version 5.3.18+, and users of version 5.2.x should upgrade to version 5.2.20+. No further action is required.

What Are TECHNIA Doing About This?

We have analyzed all TECHNIA Software offerings and, according to presently available information, we do not believe our products are vulnerable to Spring4Shell exploitation. We will, however, continue to actively monitor and analyze the situation as new information becomes available.

  • We have determined that we do not have any direct dependencies to affected versions
  • We are reviewing all ongoing consulting engagements and have not identified any dependencies to affected versions
  • We are working with our partners to coordinate our investigation and potential mitigation efforts

Should you have any specific inquiries about this topic, please contact us at [email protected] | Updates will be posted to this page as additional information becomes available.

What Are Dassault Systèmes Doing About This?

Dassault Systèmes has released a statement to vendors regarding the Spring4shell Security Exposure.

What Are Atlassian Doing About This?

Atlassian has released a statement regarding the Spring4Shell Security Exposure:

“CVE-2022-22963 is a vulnerability in the Spring Cloud Function package and is unrelated to the subsequently published CVE-2022-22965. Atlassian cloud instances and on-premises products are not vulnerable to any known exploit for CVE-2022-22963.”

Latest Updates

Spring have released a statement with information on mitigations and links to updated versions of the affected components.

For more information, and to stay up to date on this issue, please refer to our security partners, Truesec.

Previous
5 Benefits of PLM and Digital Solutions in Healthcare
Next
Designing Sustainable Packaging with PLM
At TECHNIA, we pave the way for your innovation, creativity and profitability.

We combine industry-leading Product Lifecycle Management tools with specialist knowledge, so you can enjoy the journey from product concept to implementation. Our experience makes it possible to keep things simple, personal and accessible so that together we transform your vision into value.

About TECHNIA
Want to receive more content like this?
  • Related news and articles straight to your inbox
  • Hints, tips & how-tos
  • Thought leadership articles
How-to’s, hints & tips

Learn how to work better together with world-leading PLM knowledge that keeps your engineering design, simulation and manufacturing ahead of the curve.

Read posts