https://bugalert.org/content/notices/2022-03-30-spring.html
https://tanzu.vmware.com/security/cve-2022-22965
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Our CAS deployments meets the requirements (deployed via Tomcat using a WAR and running on Java 11) and was updated to 6.4.6.2 which addresses this vulnerability (https://apereo.github.io/2022/03/31/spring-vuln/)
Other parts of our Java stacks appear unaffected:
- Archiva uses Spring, it's directly exposed to the internet and uses Tomcat internally (but not the packaged version shipped in Debian), but fortunately we are still running it with Java 8 (and this is only exploitable starting with Java 9)
- Jenkins uses Spring, but no Tomcat, which by the currently available info renders it not affected
- Cassandra, Druid, Elastic, Gerrit, Kafka, Hadoop Blazegraph all don't seem to use Spring
- Puppetdb is also unaffected, while Spring is somewhere in Jetty's dependency chain, the way the systemd unit launches it makes it unaffected
If Archiva should get confirmed to be affected (will check the coming days), we should still update it, just to avoid that we switch to Java 11 with an OS update (while reusing the existing version/deb) and make this vulnerable