Spring Framework RCE – Security Advisory for RiskSuite

Information for SHS Viveon RiskSuite Customers

Overview

A security vulnerability in the Spring Framework has been announced recently. Please refer to these external resources for detailed information:

– https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
– https://tanzu.vmware.com/security/cve-2022-22965
– https://nvd.nist.gov/vuln/detail/CVE-2022-22965
– https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965

According to Spring, the following requirements need to apply in order to be affected:

– Running on JDK 9 or higher
– Apache Tomcat as the Servlet container.
– Packaged as a traditional WAR and deployed in a standalone Tomcat instance. Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted.
– spring-webmvc or spring-webflux dependency.
– Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.

Source: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement.

Potentially affected products

The following table provides an overview about which products contain the affected Spring library:

Mitigation Approach

As described in the table before, some products contain the affected library. However, the actual vulnerability depends on several factors and not on the spring library alone.

According to Spring, one mitigation workaround is to use Java 8. It is therefore strongly recommended to use RiskSuite and its related products only with Java 8 as stated in the release notes. In addition, we are currently analyzing a possible update of our products.

There might be additional findings about this issue in the future, we therefore recommend customers to monitor the issue and possible mitigation workarounds closely.