31.03.2022

An Update on the Spring Framework Vulnerability CVE-2022-22965 a.k.a. “Spring4Shell”

Share article:

Actico is actively responding to the reported remote code execution vulnerability in the Spring Framework.

The vulnerability is a remote code execution vulnerability in the Spring Framework. It is referenced as CVE-2022-22965, also dubbed “Spring4Shell” or “SpringShell”.
An exploit exists that makes use of the vulnerability. An application is vulnerable to the exploit when all of the following conditions are true:

  • Running on Java 9 or higher
  • Running on Apache Tomcat
  • Deployed as a WAR file in Tomcat
  • Use of Spring Framework, specifically spring-webmvc or spring-webflux

The exploit requires network access to the server.

Patches to Spring Framework have been made available that contain a fix for the vulnerability:

  • Spring Framework 5.3.18 or 5.2.20

Patches to Tomcat have been made available that contain a mitigation for the exploit:

  • Tomcat 8.5.78
  • Tomcat 9.0.62
  • Tomcat 10.0.20

We are investigating and taking action for Actico as an enterprise, Actico products and Actico services that may be potentially impacted, and will continually publish information here to help customers detect, investigate and mitigate attacks, if any, to their Actico products and services.

Actico
Actico is continuing to inventory our products and systems potentially impacted by the vulnerability. As necessary, we will be applying updates as they become available to fix the vulnerability, and applying mitigations in the interim.

Actico Software Products
Actico is continuing a product-by-product analysis for vulnerability impacts. If an Actico Software product is impacted, there will be an update on this news post as a remediation or fix becomes available. Such on-premise Actico products will then have to be updated by the customer.

Actico Professional Services
Actico Professional Services will continue to work directly with its clients in support of the remediation of custom applications and services through its support processes.

Actico Cloud and as-a-Service Products
For Actico Cloud services, Actico is remediating managed as-a-service Cloud offerings as applicable.
Actico is continuing to assess and remediate any remaining services and validate that mitigating controls remain effective.

Actico Platform 9.1

Actico Platform 9.1 components like Model Hub, Execution Server and Workplace contain affected Spring Framework components. But they run standalone and cannot be deployed as a WAR to Tomcat. Thus, they contain the vulnerability, but are not affected by the exploit.

Still, we will make updates of all Platform 9.1 components available, with updated Spring Framework components, until Monday, April 11 2022 latest.

Update: Platform 9.1 (for the exact version please see the list below) with updated Spring Framework components was released on April 11 2022:

Modeler 9.1.15
Model Hub 9.1.16
CLI 9.1.16
Execution Server 9.1.13
Engine 9.1.13
Workplace 9.1.10

Modeler

Modeler in all versions is not affected by the exploit or the vulnerability, because it is not serving HTTP requests.
Still, we will update contained Spring Framework components in next releases. A Modeler 9.1 will be included in the update on Monday, April 11 2022.

Update: Platform 9.1, including Modeler, with updated Spring Framework components was released on April 11 2022.

Model Hub 8.1

Model Hub 8.1 contains affected Spring Framework components. But it is run standalone and cannot be deployed as a WAR to Tomcat. Thus, it contains the vulnerability, but is not affected by the exploit.
We will make an update of Model Hub 8.1 available, with updated Spring Framework components soon. The exact date will be published as soon as possible.

Update: Model Hub 8.1.21 with updated Spring Framework components was released on April 6 2022.

Workplace 3.8

Workplace 3.8 contains affected Spring Framework components and contains the vulnerability. The default mode of operation is standalone, but a WAR deployment is possible.

  • If you run Workplace 3.8 standalone, you are not affected by the exploit.
  • If you have Workplace 3.8 deployed as a WAR file into Tomcat, and run it with Java 9 or higher, you are affected by the exploit.

We will make an update of Workplace 3.8 available, with updated Spring Framework components soon. The exact date will be published as soon as possible.

Update: Workplace 3.8.26 with updated Spring Framework components was released on April 28 2022.

Compliance Suite

Compliance Suite contains affected Spring Framework components and contains the vulnerability.
It is often deployed into a Tomcat server as a WAR file. If this is the case and it runs with Java 9 or higher, then it is affected by the exploit.
Please contact us if you are affected by the exploit, so that we can advise on how to install a patched Tomcat.
We will make an update of Compliance Suite 3.5 with updated Spring Framework available soon. The exact date will be published as soon as possible.

Actico Rules 6.8 (Modeler, Team Server, Execution Server, Identity Management)

Actico Rules 6.8 is not affected. It can run only up to Java 8.
We will not provide an update.

Visual Rules 7.2 / 8.0

Visual Rules 7.2 / 8.0 are not affected. It can run only up to Java 8.
We will not provide an update.

 

If you have questions, please send an email to support@actico.com to open a ticket.