Last updated date: 13th April 2022
Advisory publication date: 1st April 2022
As of 13th April, we released fixes to address Spring4Shell vulnerability in all supported versions of CloverDX:
- CloverDX 5.14.1
- CloverDX 5.13.3
- CloverDX 5.12.4
- CloverDX 5.11.5
Please also review the Mitigation section below which contains new information about mitigation options in case you cannot install any of the released fixed versions.
Spring4Shell is an RCE (Remote Code Execution) vulnerability in Spring Framework that is used by CloverDX Server. Please read the Am I affected? section below to determine if you are affected by this vulnerability since only some configurations of CloverDX are affected.
This advisory discloses one critical severity vulnerability in Spring Framework and provides an overview of its impact on CloverDX products.
The vulnerability (CVE-2022-22965, also known as Spring4Shell) is an RCE (Remote Code Execution) vulnerability in Spring Framework. Spring Framework is used in CloverDX as one of the technologies powering CloverDX Server Console. The vulnerability allows attacker to exploit data binding functionality in Spring to execute arbitrary code on the target system.
Note that there is also a related security vulnerability in Spring Cloud Function (CVE-2022-22963) which does not impact CloverDX products in any way since we do not use Spring Cloud.
Am I affected?
The vulnerability affects CloverDX deployments that use application containers and Java versions listed below. If you are not using any of the configurations below (e.g., you have different application container or different Java version), you might still be affected. Therefore, we recommend you upgrade CloverDX as soon as possible even if there is no pressing need.
The following configurations have been confirmed as affected so far:
- One of the following application containers
- Apache Tomcat 9 before Tomcat 9.0.62
- VMware tc Server 4.1 with Apache Tomcat 9 runtime
- Red Hat JBoss Web Server 5.4
- In combination with any of the following JDK 11 as
- Eclipse Temurin JDK 11 (or AdoptOpenJDK 11)
- Bellsoft Liberica OpenJDK 11
- Red Hat OpenJDK 11
The platform (Linux or Windows) or backend database do not have any impact on this vulnerability.
Affected product versions
- CloverDX 5.14.0
- CloverDX 5.13.x before CloverDX 5.13.3
- CloverDX 5.12.x before CloverDX 5.12.4
- CloverDX 5.11.x before CloverDX 5.11.5
- CloverDX 5.10.x (this version is retired and does not receive security fixes)
- CloverDX 5.9.x (this version is retired and does not receive security fixes)
- CloverDX 5.8.x (this version is retired and does not receive security fixes)
- CloverDX 5.7.x (this version is retired and does not receive security fixes)
- CloverDX releases before CloverDX older than 5.7.0 (all are EOL and no longer receive any support of fixes)
Fixed product versions
- CloverDX 5.14.1 – contains latest version of Spring Framework which addresses the vulnerability.
- CloverDX 5.13.3 – the release contains latest version of Spring Framework 5.3.18 which address the vulnerability. On 6th April we released packed to allow CloverDX 5.13.3 to also be deployed in JBoss EAP application container and therefore the release now covers all supported deployment options for CloverDX Server
- CloverDX 5.12.4 – released on 12th April and contains latest version of Spring Framework which addresses the vulnerability.
- CloverDX 5.11.5 – released on 13th April and contains latest version of Spring Framework which addresses the vulnerability. Note that the latest version of Spring does not support JBoss EAP 7.1 and therefore CloverDX 5.11.5 cannot be deployed on JBoss EAP 7.1. If you are using JBoss EAP 7.1, you can upgrade to JBoss EAP 7.2 which is fully supported by this release. Note also that JBoss EAP (in any version) is not affected by this vulnerability so staying on CloverDX 5.11.4 is a viable option as well.
CVE-2022-22965: RCE vulnerability in Spring Core (Spring4Shell)
The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment.
The nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.
All supported versions of CloverDX use Spring 5.1.18. Our preferred deployment stack is using Apache Tomcat 9 web server with Eclipse Temurin JDK 11. This preferred configuration is affected by this vulnerability.
- Spring acknowledgement and details: Spring Framework RCE, Early Announcement
- VMware vulnerability description: CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
- CVE details: CVE-2022-22965 (NVD)
- Severity: CRITICAL
- CVSS 3.1 score: 9.8
- CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CloverDX Bug Tracker: CLO-23227
As of 7th April, we recommend all customers to upgrade to CloverDX 5.14.1 which contains the latest version of Spring Framework which addresses the vulnerability disclosed in this report.
If you cannot upgrade to CloverDX 5.14.1, upgrade to a fixed version matching your product version as described below.
What you need to do
- 5.14.0 users – upgrade to CloverDX 5.14.1
- 5.13.x users – upgrade to CloverDX 5.13.3 (easy upgrade) or to CloverDX 5.14.1.
- 5.12.x users – upgrade to CloverDX 5.12.4 (easy upgrade) or to CloverDX 5.14.1.
- 5.11.x users – upgrade to CloverDX 5.11.5 (easy upgrade) or to CloverDX 5.14.1. If you are running on JBoss EAP 7.1, do not upgrade to CloverDX 5.11.5 since it does not support JBoss EAP 7.1. In such case, you can either upgrade JBoss EAP to JBoss EAP 7.2 before applying the CloverDX update or leave your environment without any change since JBoss EAP is not affected by Spring4Shell vulnerability.
- Older versions – upgrade to CloverDX 5.14.1 (recommended) or any other fixed version. Alternatively, you can apply mitigation steps as described below if you cannot upgrade immediately. In such case, consider planning CloverDX upgrade to the latest version at the earliest possible time.
If you are running CloverDX in Apache Tomcat, you can upgrade Tomcat to version 9.0.62 which contains changes that prevent the vulnerability from being exploited.
Note that while this will prevent the vulnerability, you should only do this as a measure that allows you to properly upgrade your CloverDX instance to the latest version.
Besides the mitigation steps, you should also consider the following to ensure your environment is as safe as possible:
- Limit permissions of your CloverDX Server on the host system. This can be done by ensuring your CloverDX Server runs under a limited user that does not have access to any other data than necessary – e.g., it should not have permissions to see other user’s data etc.
- Periodically review your CloverDX and system logs to verify that no unexpected processes are running on the system.
If you did not receive this email directly and you want to receive Security Advisory emails like this in the future, subscribe to the CloverDX Security Alerts mailing list.
If you have any questions or concerns regarding this advisory, please raise a CloverCARE support request via Customer Portal.
Researchers and software vendors published several articles providing additional information about this vulnerability:
- Spring: Spring Framework RCE, Early Announcement
- VMware: CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
- LunaSec: Spring4Shell: Security Analysis of the latest Java RCE '0-day' vulnerabilities in Spring
- Haozhe Zhang, Ken Hsu, Tao Yan, Qi Deng: CVE-2022-22965: Spring Core Remote Code Execution Vulnerability Exploited In the Wild (SpringShell)
- 2022-04-13 – Added information about CloverDX 5.11.5 and CloverDX 5.12.4.
- 2022-04-07 – Added information about CloverDX 5.14.1 and updated 5.13.3 which both address the vulnerability. Added Tomcat upgrade as possible mitigation strategy.
- 2022-04-02 – Added information about CloverDX 5.13.3 which addresses the vulnerability. Added more details about the vulnerability.
- 2022-04-01 – This advisory was first published.