Spring framework vulnerability - CVE-2022-22965

Researchers found a new HIGH vulnerability in the Spring Cloud Function dubbed Spring4Shell that could lead to a remote code execution (RCE) that would let attackers execute arbitrary code on a machine and compromise the entire host.

This is the second-highest vulnerability discovered in the last several months after the Log4Shell remote code execution vulnerability was found in the Log4j Java library.

Spring is an open-source lightweight Java platform. It is a framework for application development that is used by millions of developers for creating high-quality, easily testable code.

Likewise, the Adeptia engineering team has analyzed the Spring framework vulnerability - CVE-2022-22965 and determined that this DOES NOT IMPACT Adeptia software.

• Background about this vulnerability –

• Who is impacted?

1. JDK 9 or higher
2. Apache Tomcat as the Servlet container
3. Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
4. spring-webmvc or spring-webflux dependency
5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions

• Why Adeptia is not impacted?

1. We use Amazon Corretto 8 and not JDK 9, or higher. So, we are good with both AC 3.x and AC 4.
2. In AC 4, we use Spring boot with embedded tomcat, which is anyway not impacted as per this blog.

• What does Adeptia plan to do?

1. At present, in the AC v3.x, we use Spring Framework version 5.3.13 and have a spring-webmvc dependency. Adeptia will plan to upgrade to Spring Framework 5.3.18 which contains the fix (just to be on the safer side).
2. In AC 4.x, we will plan to upgrade to the latest Spring Boot version. At present, we use Spring Boot v2.5.5 whereas as per this blog, Spring Boot v2.6.6 and v2.5.12, which depend on Spring Framework 5.3.18, have been released.