Security: Spring4Shell / CVE-2022-22965

Initial situation

On March 30th, a new vulnerability was reported in Spring Beans, currently being dubbed “Spring4Shell”, with experts believing it could be as impactful as 2021’s Log4j. See also VMware’s CVE-2022-22965.

Regarding the Spring.IO, applications are affected when the following requirements are given:

Running on JDK 9 or higher
Apache Tomcat as the Servlet container.
Packaged as a traditional WAR and deployed in a standalone Tomcat instance. Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted.
“spring-webmvc” or “spring-webflux” dependency.
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.

GRAVITY Situation

GRAVITY uses the Spring framework and has a dependency on “spring-webflux”.

GRAVITY server is NOT affected by the Spring Framework RCE vulnerability because it uses:

JDK 8
Packaged as .JAR-file

For next builds and container update we make sure that updates and dependencies reflect the Common Vulnerabilities and Exposures entry CVE-2022-22965 anyway.

April 5, 2022/0 Comments/by gravityadmin

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply Cancel reply

Cookie and Privacy Settings

How we use cookies

We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.

Essential Website Cookies

These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Because these cookies are strictly necessary to deliver the website, you cannot refuse them without impacting how our site functions. You can block or delete them by changing your browser settings and force blocking all cookies on this website.

Google Analytics Cookies

These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.

If you do not want that we track your visist to our site you can disable tracking in your browser here:

Click to enable/disable google analytics tracking.

Other external services

We also use different external services like Google Webfonts, Google Maps and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.

Google Webfont Settings:

Click to enable/disable google webfonts.

Google Map Settings:

Click to enable/disable google maps.

Vimeo and Youtube video embeds:

Click to enable/disable video embeds.

Privacy Policy

You can read about our cookies and privacy settings in detail on our Privacy Policy Page.