Mitigating Springshell Vulnerability
Although CVE-2022-22963 and CVE-2022-22965, the "Springshell" vulnerability issue does not affect ConnectALL, due to certain conditions, we have upgraded the vulnerable 3rd party library anyway — out of an abundance of caution. Version 18.104.22.168 includes this update. To upgrade, please contact our support team.
April 4, 2022:
CVE-2022-22963 - ConnectALL doesn’t use spring-cloud dependencies, so we are not impacted by this CVE.
CVE-2022-22965 - ConnectALL is not impacted by this CVE.
- This vulnerability in Spring is not exploitable on JDK 8. Default installations of ConnectALL use JDK 8.
- This vulnerability is not exploitable if data bindings to bind request parameters to a Java object are not used. ConnectALL does not use data bindings.
Spring running on JDK 9 and later is potentially affected due to an additional interface method in the Class object (class.getModule). Refer to the blog post https://jfrog.com/blog/springshell-zero-day-vulnerability-all-you-need-to-know/ for more details. One of the mitigations noted by Spring is to downgrade to JDK 8 -- so we can be confident that there is no impact with our default installation of ConnectALL. Ref: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#downgrading-to-java-8
In cases where the ConnectALL installation has been modified to use JDK9+, exploiting the vulnerability requires code that uses data binding to bind request parameters to a Java object. This condition is not met in ConnectALL. Exploiting this vulnerability requires the code to use one of the following data binding annotations: (Ref: https://jfrog.com/blog/springshell-zero-day-vulnerability-all-you-need-to-know/)
ConnectALL does not use any of the data binding annotations above.
Nevertheless, an upcoming version of ConnectALL will update the vulnerable Spring classes. This will be noted here and on our release notes page.
March 31, 2022:
We are actively evaluating CVE-2022-22963 and cve-2022-22965 "SpringShell" vulnerability. As we know more, we will update this page.
Early indications suggest that ConnectALL is not vulnerable because:
- ConnectALL runs on Java 8, not Java 9.