Security Announcement on the Spring4Shell Exploit

We will update this announcement with new details as they emerge from our analysis. Please check back periodically.

Last update: April 13, 2022 – 12:20 PM CET

A new vulnerability called "Spring4Shell" has been identified.

The vulnerability is described in detail in the following post:

https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/#rce-in-spring-core

 

As further information is now being published in the community, this security issue consists of two separate security vulnerabilities:

1) Remote Code Execution Vulnerability in Spring Core (Critical Severity)

For this vulnerability there is no CVE entry at the moment, but is considered to be of “critical severity”.

This vulnerability is now being tracked under CVE-2022-22965 and is classified as “very severe”.

Based on currently available information, components that are using Spring Core <=5.3.17 together with JDK9 or newer are affected.

The security community's initial assessment on March 31, 2022 was that this vulnerability affects components that are using Spring Core <=5.3.17 together with JDK9 or newer.

The latest update, now officially from Spring, states that the vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the exploit. They are investigating if there are any other potentially exploitable scenarios.

 

Potentially affected product lines: yuuvis® RAD (all versions), yuuvis® Momentum (all versions)

We are currently analyzing if this vulnerability can be exploited in these products, as well as the possible mitigation options, until the official patch from Spring will have been published.

 

Not affected product lines: enaio® (all versions), yuuvis® RAD (all versions) and yuuvis® Momentum (all versions)

enaio® components in all supported versions are still using JDK8, and are therefore according to the currently available information not affected. yuuvis® RAD and yuuvis® Momentum in all supported versions, although using newer JDKs, do not fulfill other currently known prerequisites stated above that are needed for successful exploit scenarios, and therefore are not affected.

We also conducted internal penetration tests, based on the currently known exploit scenarios, and confirmed that our products are not affected. As always, we will continue to monitor the development and we will update this information, if needed, in case additional vulnerabilities have been discovered.

 

2) Remote Code Execution and Expression Resource Access Vulnerability in Spring Cloud (Medium Critical Severity)

This vulnerability is tracked under CVE-2022-22963 and is currently classified as “medium critical severity”. Since this vulnerability is not critical, the affected components will be patched in our regular patch cycle.

Although this CVE has been reclassified to a Critical Vulnerability, it has also been defined more precisely to affect only the Spring Cloud Function module. Since yuuvis® Momentum does not use this module, it is not affected by this vulnerability.

Affected product lines: none yuuvis® Momentum (all versions)

 

Not affected product lines: enaio® (all versions), yuuvis® RAD (all versions), yuuvis® Momentum (all versions)

 

Best regards

Your OPTIMAL SYSTEMS Team