Initial situation
On March 30th, a new vulnerability was reported in Spring Beans, currently being dubbed “Spring4Shell”, with experts believing it could be as impactful as 2021’s Log4j. See also VMware’s CVE-2022-22965.
Regarding the Spring.IO, applications are affected when the following requirements are given:
- Running on JDK 9 or higher
- Apache Tomcat as the Servlet container.
- Packaged as a traditional WAR and deployed in a standalone Tomcat instance. Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted.
- “spring-webmvc” or “spring-webflux” dependency.
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.
GRAVITY Situation
GRAVITY uses the Spring framework and has a dependency on “spring-webflux”.
GRAVITY server is NOT affected by the Spring Framework RCE vulnerability because it uses:
- JDK 8
- Packaged as .JAR-file
For next builds and container update we make sure that updates and dependencies reflect the Common Vulnerabilities and Exposures entry CVE-2022-22965 anyway.
Leave a Reply
Want to join the discussion?Feel free to contribute!