Page MenuHomePhabricator
Create Task
Maniphest T305371

CVE-2022-22965: Spring Framework RCE via data binding
Closed, ResolvedPublicSecurity
Actions

Description

https://bugalert.org/content/notices/2022-03-30-spring.html
https://tanzu.vmware.com/security/cve-2022-22965
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Our CAS deployments meets the requirements (deployed via Tomcat using a WAR and running on Java 11) and was updated to 6.4.6.2 which addresses this vulnerability (https://apereo.github.io/2022/03/31/spring-vuln/)

Other parts of our Java stacks appear unaffected:

  • Archiva uses Spring, it's directly exposed to the internet and uses Tomcat internally (but not the packaged version shipped in Debian), but fortunately we are still running it with Java 8 (and this is only exploitable starting with Java 9)
  • Jenkins uses Spring, but no Tomcat, which by the currently available info renders it not affected
  • Cassandra, Druid, Elastic, Gerrit, Kafka, Hadoop Blazegraph all don't seem to use Spring
  • Puppetdb is also unaffected, while Spring is somewhere in Jetty's dependency chain, the way the systemd unit launches it makes it unaffected

If Archiva should get confirmed to be affected (will check the coming days), we should still update it, just to avoid that we switch to Java 11 with an OS update (while reusing the existing version/deb) and make this vulnerable

Details

Risk Rating
Low
Author Affiliation
WMF Technology Dept

Event Timeline

MoritzMuehlenhoff created this task.Apr 4 2022, 1:51 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 4 2022, 1:51 PM
MoritzMuehlenhoff triaged this task as High priority.Apr 4 2022, 1:51 PM
MoritzMuehlenhoff edited projects, added SRE; removed Security-Team.
sbassett added a project: SecTeam-Processed.Apr 4 2022, 2:18 PM
jbond edited projects, added CAS-SSO; removed SRE.Nov 4 2022, 1:23 PM
Restricted Application added a project: Infrastructure-Foundations. · View Herald TranscriptNov 4 2022, 1:23 PM
MoritzMuehlenhoff closed this task as Resolved.Jun 26 2023, 3:16 PM
MoritzMuehlenhoff claimed this task.

There's no indication that Archiva is affected by CVE-2022-22965 (and we have https://phabricator.wikimedia.org/T318962 anyway to upgrade to 2.2.8), closing.

sbassett changed Author Affiliation from N/A to WMF Technology Dept.Jul 12 2023, 3:07 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL