Vulnerabilities have been discovered lately on Spring4Shell, CVE-20222-22963 (Remote code execution in Spring Cloud Function by malicious Spring Expression ) & CVE-2022-22965 (Spring Core Remote Code Execution Vulnerability Exploited In the Wild (SpringShell))
We are currently assessing the impact on our products and working on remediation, we will update this page as soon as new information is available,as well as the following doc page :
https://doc.castsoftware.com/display/CAST/Spring+Framework+-+CVE+vulnerabilities
So far what we can assess :
CAST Highlight is not impacted :
- CVE-2022-22963 - This component is not used in CAST Highlight
- CVE-2022-22965 - CAST Highlight is not packaged as a traditional WAR (we deploy a Spring Boot executable jar) and Highlight doesn't use parameters binding as our APIs uses JSON and XML
Highlight upgrade to Spring Boot 2.5.12 to address Spring4Shell vulnerability (CVE-2022-22965) has been done.
CVE-2022-22963
- AIP Core platform is not impacted
- CAST Imaging is not impacted
- CAST AIP Console/AIP node isnot impacted
- Analyzers (CAST official extensions) are not impacted
- CAST Dashboards are not impacted
CVE-2022-22965
- AIP core platform is not impacted - From the requirement for this scenario (https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#suggested-workarounds) JDK 9 is needed. AIP uses JDK 8
- Analyzers (JEE...) (CAST official extensions) are not impacted as we use Java 8
- CAST imaging is not impacted
- CAST AIP Console/AIP node is not impacted
- CAST Dashboards all releases are impacted when deployed on Apache Tomcat via a WAR file AND with JAVA 9 or above - A workaround consisting in upgrading to Apache Tomcat 10.0.20, 9.0.62, or 8.5.78, provides adequate protection
- 2 new versions of Dashboard have been released
- 2 new versions of Dashboard have been released
CAST will release updates for the impacted releases in the coming days,
Comments