[SHARE] CloudStack and Spring4Shell

[Rohit Yadav <ro...@shapeblue.com>]

All,

A new spring-framework RCE [1] and CVEs [2][3] have been announced, aka, Spring4Shell. The origin appears to be tracked to VMware products [2][3] and spring-framework has published new releases v5.3.18 and v5.2.20 [1] as mitigation.

CloudStack isn't deployed as a war and doesn't use Tomcat as the servlet container (it uses embedded Jetty and deployed as a uber-jar), further doesn't use spring-webmvc or spring-webflux directly per my investigation. Therefore, CloudStack is not affected [1] by Spring4Shell RCE and the CVEs.

However, as part of our routine maintenance and release effort, we have merged a pull request towards the next 4.17 LTS release (4.17.0.0 milestone) that upgrades our spring-framework dependency to the latest 5.3.18 version:
https://github.com/apache/cloudstack/pull/6250/files


[1] https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963

[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965


Regards.

 

Re: [SHARE] CloudStack and Spring4Shell

[Rohit Yadav <ro...@shapeblue.com>]

All,

Thanks to Ivet, we have an advisory published here now: https://blogs.apache.org/cloudstack/entry/cloudstack-advisory-on-spring4shell-cve


Regards.

________________________________
From: Rohit Yadav <ro...@shapeblue.com>
Sent: Wednesday, April 13, 2022 22:06
To: dev@cloudstack.apache.org <de...@cloudstack.apache.org>; users@cloudstack.apache.org <us...@cloudstack.apache.org>
Subject: [SHARE] CloudStack and Spring4Shell

All,

A new spring-framework RCE [1] and CVEs [2][3] have been announced, aka, Spring4Shell. The origin appears to be tracked to VMware products [2][3] and spring-framework has published new releases v5.3.18 and v5.2.20 [1] as mitigation.

CloudStack isn't deployed as a war and doesn't use Tomcat as the servlet container (it uses embedded Jetty and deployed as a uber-jar), further doesn't use spring-webmvc or spring-webflux directly per my investigation. Therefore, CloudStack is not affected [1] by Spring4Shell RCE and the CVEs.

However, as part of our routine maintenance and release effort, we have merged a pull request towards the next 4.17 LTS release (4.17.0.0 milestone) that upgrades our spring-framework dependency to the latest 5.3.18 version:
https://github.com/apache/cloudstack/pull/6250/files


[1] https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963

[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965


Regards.




 

Re: [SHARE] CloudStack and Spring4Shell

[Rohit Yadav <ro...@shapeblue.com>]

All,

Thanks to Ivet, we have an advisory published here now: https://blogs.apache.org/cloudstack/entry/cloudstack-advisory-on-spring4shell-cve


Regards.

________________________________
From: Rohit Yadav <ro...@shapeblue.com>
Sent: Wednesday, April 13, 2022 22:06
To: dev@cloudstack.apache.org <de...@cloudstack.apache.org>; users@cloudstack.apache.org <us...@cloudstack.apache.org>
Subject: [SHARE] CloudStack and Spring4Shell

All,

A new spring-framework RCE [1] and CVEs [2][3] have been announced, aka, Spring4Shell. The origin appears to be tracked to VMware products [2][3] and spring-framework has published new releases v5.3.18 and v5.2.20 [1] as mitigation.

CloudStack isn't deployed as a war and doesn't use Tomcat as the servlet container (it uses embedded Jetty and deployed as a uber-jar), further doesn't use spring-webmvc or spring-webflux directly per my investigation. Therefore, CloudStack is not affected [1] by Spring4Shell RCE and the CVEs.

However, as part of our routine maintenance and release effort, we have merged a pull request towards the next 4.17 LTS release (4.17.0.0 milestone) that upgrades our spring-framework dependency to the latest 5.3.18 version:
https://github.com/apache/cloudstack/pull/6250/files


[1] https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963

[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965


Regards.