The Apache CloudStack Blog Open Source Cloud Computing

CloudStack Advisory on Spring4Shell (CVE-2022-22965 and CVE-2022-22963)

by Ivet

Posted on Thursday April 14, 2022 at 08:24AM in Announcements

At the beginning of April 2022, vulnerabilities in the Spring Framework for Java were publicly revealed. Many companies noticed active exploitation of the Spring4Shell vulnerability assigned as CVE-2022-22965. This vulnerability allows hackers to execute the Mirai botnet malware. The exploit allows threat actors to download the Mirai sample to the “/tmp” folder and execute them after changing its execute permission using “chmod”.

Currently, there are two vulnerabilities that allow malicious actors to achieve remote code execution (RCE) for Spring Framework - CVE-2022-22965 and CVE-2022-22963. The origin appears to be tracked to VMware products and spring-framework has published new releases v5.3.18 and v5.2.20 as mitigation.

CloudStack is not affected by Spring4Shell RCE and these CVEs because it isn't deployed as a WAR package and doesn't use Tomcat as the servlet container (it uses embedded Jetty and is deployed as an uber-jar). Further, it doesn't use spring-webmvc or spring-webflux dependencies.

As part of the Apache CloudStack project's routine maintenance and release efforts, a pull request towards the next 4.17 LTS release ( milestone) that upgrades the spring-framework dependency to the latest v5.3.18 has been merged:

No one has commented yet.
Comments are closed for this entry.