Customer Portal

Knowledge Base

  1. CloverDX Customer Portal
  2. Knowledge base
  3. Security advisory April 2022 – Spring4Shell

Security advisory April 2022 – Spring4Shell

Avatar
Branislav Repcek
  • Updated
Follow

Last updated date: 13th April 2022

Advisory publication date: 1st April 2022

 

Latest update

As of 13th April, we released fixes to address Spring4Shell vulnerability in all supported versions of CloverDX:

  • CloverDX 5.14.1
  • CloverDX 5.13.3
  • CloverDX 5.12.4
  • CloverDX 5.11.5

Please read the Fixed product versions and Fix sections below for more details.

Please also review the Mitigation section below which contains new information about mitigation options in case you cannot install any of the released fixed versions.

 

Summary

Spring4Shell is an RCE (Remote Code Execution) vulnerability in Spring Framework that is used by CloverDX Server. Please read the Am I affected? section below to determine if you are affected by this vulnerability since only some configurations of CloverDX are affected.

 

This advisory discloses one critical severity vulnerability in Spring Framework and provides an overview of its impact on CloverDX products.

The vulnerability (CVE-2022-22965, also known as Spring4Shell) is an RCE (Remote Code Execution) vulnerability in Spring Framework. Spring Framework is used in CloverDX as one of the technologies powering CloverDX Server Console. The vulnerability allows attacker to exploit data binding functionality in Spring to execute arbitrary code on the target system.

 

Note that there is also a related security vulnerability in Spring Cloud Function (CVE-2022-22963) which does not impact CloverDX products in any way since we do not use Spring Cloud.

 

Am I affected?

The vulnerability affects CloverDX deployments that use application containers and Java versions listed below. If you are not using any of the configurations below (e.g., you have different application container or different Java version), you might still be affected. Therefore, we recommend you upgrade CloverDX as soon as possible even if there is no pressing need.

The following configurations have been confirmed as affected so far:

  • One of the following application containers
    • Apache Tomcat 9 before Tomcat 9.0.62
    • VMware tc Server 4.1 with Apache Tomcat 9 runtime
    • Red Hat JBoss Web Server 5.4
  • In combination with any of the following JDK 11 as
    • Eclipse Temurin JDK 11 (or AdoptOpenJDK 11)
    • Bellsoft Liberica OpenJDK 11
    • Red Hat OpenJDK 11

The platform (Linux or Windows) or backend database do not have any impact on this vulnerability.

 

CVE ID(s)

  • CVE-2022-22965

 

Affected product versions

  • CloverDX 5.14.0
  • CloverDX 5.13.x before CloverDX 5.13.3
  • CloverDX 5.12.x before CloverDX 5.12.4
  • CloverDX 5.11.x before CloverDX 5.11.5
  • CloverDX 5.10.x (this version is retired and does not receive security fixes)
  • CloverDX 5.9.x (this version is retired and does not receive security fixes)
  • CloverDX 5.8.x (this version is retired and does not receive security fixes)
  • CloverDX 5.7.x (this version is retired and does not receive security fixes)
  • CloverDX releases before CloverDX older than 5.7.0 (all are EOL and no longer receive any support of fixes)

 

Fixed product versions

  • CloverDX 5.14.1 – contains latest version of Spring Framework which addresses the vulnerability.
  • CloverDX 5.13.3 – the release contains latest version of Spring Framework 5.3.18 which address the vulnerability. On 6th April we released packed to allow CloverDX 5.13.3 to also be deployed in JBoss EAP application container and therefore the release now covers all supported deployment options for CloverDX Server
  • CloverDX 5.12.4 – released on 12th April and contains latest version of Spring Framework which addresses the vulnerability.
  • CloverDX 5.11.5 – released on 13th April and contains latest version of Spring Framework which addresses the vulnerability. Note that the latest version of Spring does not support JBoss EAP 7.1 and therefore CloverDX 5.11.5 cannot be deployed on JBoss EAP 7.1. If you are using JBoss EAP 7.1, you can upgrade to JBoss EAP 7.2 which is fully supported by this release. Note also that JBoss EAP (in any version) is not affected by this vulnerability so staying on CloverDX 5.11.4 is a viable option as well.

 

CVE-2022-22965: RCE vulnerability in Spring Core (Spring4Shell)

The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment.

The nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.

All supported versions of CloverDX use Spring 5.1.18. Our preferred deployment stack is using Apache Tomcat 9 web server with Eclipse Temurin JDK 11. This preferred configuration is affected by this vulnerability.

 

Fix

As of 7th April, we recommend all customers to upgrade to CloverDX 5.14.1 which contains the latest version of Spring Framework which addresses the vulnerability disclosed in this report.

If you cannot upgrade to CloverDX 5.14.1, upgrade to a fixed version matching your product version as described below.

 

What you need to do

  • 5.14.0 users – upgrade to CloverDX 5.14.1
  • 5.13.x users – upgrade to CloverDX 5.13.3 (easy upgrade) or to CloverDX 5.14.1.
  • 5.12.x users – upgrade to CloverDX 5.12.4 (easy upgrade) or to CloverDX 5.14.1.
  • 5.11.x users – upgrade to CloverDX 5.11.5 (easy upgrade) or to CloverDX 5.14.1. If you are running on JBoss EAP 7.1, do not upgrade to CloverDX 5.11.5 since it does not support JBoss EAP 7.1. In such case, you can either upgrade JBoss EAP to JBoss EAP 7.2 before applying the CloverDX update or leave your environment without any change since JBoss EAP is not affected by Spring4Shell vulnerability.
  • Older versions – upgrade to CloverDX 5.14.1 (recommended) or any other fixed version. Alternatively, you can apply mitigation steps as described below if you cannot upgrade immediately. In such case, consider planning CloverDX upgrade to the latest version at the earliest possible time.

 

Mitigation

Upgrading Tomcat

If you are running CloverDX in Apache Tomcat, you can upgrade Tomcat to version 9.0.62 which contains changes that prevent the vulnerability from being exploited.

Note that while this will prevent the vulnerability, you should only do this as a measure that allows you to properly upgrade your CloverDX instance to the latest version.

 

Best practices

Besides the mitigation steps, you should also consider the following to ensure your environment is as safe as possible:

  • Limit permissions of your CloverDX Server on the host system. This can be done by ensuring your CloverDX Server runs under a limited user that does not have access to any other data than necessary – e.g., it should not have permissions to see other user’s data etc.
  • Periodically review your CloverDX and system logs to verify that no unexpected processes are running on the system.

 

Support

If you did not receive this email directly and you want to receive Security Advisory emails like this in the future, subscribe to the CloverDX Security Alerts mailing list.

If you have any questions or concerns regarding this advisory, please raise a CloverCARE support request via Customer Portal.

 

Additional information

Researchers and software vendors published several articles providing additional information about this vulnerability:

 

References

 

Update history

  • 2022-04-13 – Added information about CloverDX 5.11.5 and CloverDX 5.12.4.
  • 2022-04-07 – Added information about CloverDX 5.14.1 and updated 5.13.3 which both address the vulnerability. Added Tomcat upgrade as possible mitigation strategy.
  • 2022-04-02 – Added information about CloverDX 5.13.3 which addresses the vulnerability. Added more details about the vulnerability.
  • 2022-04-01 – This advisory was first published.

 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments 0

Please sign in to leave a comment.

Related articles

Articles in this section

Security advisory August 2024 Security advisory April 2023 Security advisory November 2022 – Text4Shell Security advisories Resolving SFTP connection issue by re-enabling SSH-rsa Security advisory November 2022 – OpenSSL Security advisory April 2022 – Spring4Shell Security advisory December 2021 Security advisory November 2021 Security advisory April 2021