Initial situation

On March 30th, a new vulnerability was reported in Spring Beans, currently being dubbed “Spring4Shell”, with experts believing it could be as impactful as 2021’s Log4j. See also VMware’s CVE-2022-22965.

Regarding the Spring.IO, applications are affected when the following requirements are given:

  • Running on JDK 9 or higher
  • Apache Tomcat as the Servlet container.
  • Packaged as a traditional WAR and deployed in a standalone Tomcat instance. Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted.
  • “spring-webmvc” or “spring-webflux” dependency.
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.

GRAVITY Situation

GRAVITY uses the Spring framework and has a dependency on “spring-webflux”.

GRAVITY server is NOT affected by the Spring Framework RCE vulnerability because it uses:

  • JDK 8
  • Packaged as .JAR-file

For next builds and container update we make sure that updates and dependencies reflect the Common Vulnerabilities and Exposures entry CVE-2022-22965 anyway.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.