KB Article #182093
Zero-Day Vulnerability in Java Spring Framework "Spring4Shell"
Axway Engineering has confirmed that Amplify SaaS services are NOT vulnerable
Context
What is the Spring4Shell vulnerability?
Spring4Shell is a confirmed unauthenticated RCE in Spring Core <=5.3.17. The CVE has not yet been rated by the NVD. The security industry is referring to this vulnerability as "Spring4Shell" or "SpringShell".
A fix was released in 5.3.18 and 5.2.20.
What is the Spring4Shell (CVE-2022-22965) vulnerability description?
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Risk conditions highlighted by Rapid7:
- Any components using Spring Framework versions before 5.2.20, 5.3.18 AND JDK version 9 or higher are considered potentially vulnerable;
- Any components that meet the above conditions AND are using @RequestMapping annotation and Plain Old Java Object (POJO) parameters are considered actually vulnerable and are at some risk of being exploited;
- Any components that meet the above conditions AND are running Tomcat are currently most at risk of being exploited (due to readily available exploit code that is known to work against Tomcat-based apps).
What is the impact of Spring4Shell?
This vulnerability can lead to remote code execution on the targeted system.
Useful links:
- https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
- https://tanzu.vmware.com/security/cve-2022-22965
- https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
- https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/
- https://nvd.nist.gov/vuln/detail/CVE-2022-22965
- External Axway notifications:
Details
Amplify API Management Platform Services – not vulnerable
Leverages Java 8, and none of the risk conditions highlighted above are applicable to the Amplify SaaS Services (including Central, Unified Catalog, Marketplace)
Amplify Application Integration – not vulnerable
Application Integration is not vulnerable
Amplify Foundation Services - not vulnerable
AxwayID service - Does not use Spring framework
Support portal – not directly vulnerable
The support portal leverages Spring Boot 2.4.3(Spring core 5.3.4) and Java 11, but the application is started as Spring Boot runnable and not as deployed war on Tomcat server
Axway Repository – not directly vulnerable
The Axway Repository binary and helm service leverage Spring Boot 2.6.1(Spring core 5.3.13) and Java 11, but the application is started as Spring Boot runnable and not as deployed war on Tomcat server. The other services part of Axway Repository do not use Spring but NodeJS
Amplify components deployed in customer environment – not vulnerable
The Amplify components below have no Java code, are not using log4j and are not vulnerable:
- Agents - Agents are written in golang.
- CLI - CLI is written in node.js.