You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Rohit Yadav <ro...@shapeblue.com> on 2022/04/13 16:36:32 UTC
[SHARE] CloudStack and Spring4Shell
All,
A new spring-framework RCE [1] and CVEs [2][3] have been announced, aka, Spring4Shell. The origin appears to be tracked to VMware products [2][3] and spring-framework has published new releases v5.3.18 and v5.2.20 [1] as mitigation.
CloudStack isn't deployed as a war and doesn't use Tomcat as the servlet container (it uses embedded Jetty and deployed as a uber-jar), further doesn't use spring-webmvc or spring-webflux directly per my investigation. Therefore, CloudStack is not affected [1] by Spring4Shell RCE and the CVEs.
However, as part of our routine maintenance and release effort, we have merged a pull request towards the next 4.17 LTS release (4.17.0.0 milestone) that upgrades our spring-framework dependency to the latest 5.3.18 version:
https://github.com/apache/cloudstack/pull/6250/files
[1] https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
Regards.
Re: [SHARE] CloudStack and Spring4Shell
Posted by Rohit Yadav <ro...@shapeblue.com>.
All,
Thanks to Ivet, we have an advisory published here now: https://blogs.apache.org/cloudstack/entry/cloudstack-advisory-on-spring4shell-cve
Regards.
________________________________
From: Rohit Yadav <ro...@shapeblue.com>
Sent: Wednesday, April 13, 2022 22:06
To: dev@cloudstack.apache.org <de...@cloudstack.apache.org>; users@cloudstack.apache.org <us...@cloudstack.apache.org>
Subject: [SHARE] CloudStack and Spring4Shell
All,
A new spring-framework RCE [1] and CVEs [2][3] have been announced, aka, Spring4Shell. The origin appears to be tracked to VMware products [2][3] and spring-framework has published new releases v5.3.18 and v5.2.20 [1] as mitigation.
CloudStack isn't deployed as a war and doesn't use Tomcat as the servlet container (it uses embedded Jetty and deployed as a uber-jar), further doesn't use spring-webmvc or spring-webflux directly per my investigation. Therefore, CloudStack is not affected [1] by Spring4Shell RCE and the CVEs.
However, as part of our routine maintenance and release effort, we have merged a pull request towards the next 4.17 LTS release (4.17.0.0 milestone) that upgrades our spring-framework dependency to the latest 5.3.18 version:
https://github.com/apache/cloudstack/pull/6250/files
[1] https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
Regards.
Re: [SHARE] CloudStack and Spring4Shell
Posted by Rohit Yadav <ro...@shapeblue.com>.
All,
Thanks to Ivet, we have an advisory published here now: https://blogs.apache.org/cloudstack/entry/cloudstack-advisory-on-spring4shell-cve
Regards.
________________________________
From: Rohit Yadav <ro...@shapeblue.com>
Sent: Wednesday, April 13, 2022 22:06
To: dev@cloudstack.apache.org <de...@cloudstack.apache.org>; users@cloudstack.apache.org <us...@cloudstack.apache.org>
Subject: [SHARE] CloudStack and Spring4Shell
All,
A new spring-framework RCE [1] and CVEs [2][3] have been announced, aka, Spring4Shell. The origin appears to be tracked to VMware products [2][3] and spring-framework has published new releases v5.3.18 and v5.2.20 [1] as mitigation.
CloudStack isn't deployed as a war and doesn't use Tomcat as the servlet container (it uses embedded Jetty and deployed as a uber-jar), further doesn't use spring-webmvc or spring-webflux directly per my investigation. Therefore, CloudStack is not affected [1] by Spring4Shell RCE and the CVEs.
However, as part of our routine maintenance and release effort, we have merged a pull request towards the next 4.17 LTS release (4.17.0.0 milestone) that upgrades our spring-framework dependency to the latest 5.3.18 version:
https://github.com/apache/cloudstack/pull/6250/files
[1] https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
Regards.