Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-22965: Spring Core Remote Code Execution Vulnerability Exploited In the Wild (SpringShell) #10321

Closed
avatarworf opened this issue Apr 1, 2022 · 5 comments · Fixed by #10332
Closed

CVE-2022-22965: Spring Core Remote Code Execution Vulnerability Exploited In the Wild (SpringShell) #10321

avatarworf opened this issue Apr 1, 2022 · 5 comments · Fixed by #10332
Labels
dependencies java Pull requests that update Java code security Pull requests that address a security vulnerability

Comments

@avatarworf
Copy link

gocd/dependencies.gradle

Line 99 in 7edfbe1

spring : 'org.springframework:spring-core:4.3.30.RELEASE',

gocd/server/build.gradle

Line 907 in 9ed30d5

"spring-beans-${project.versions.spring}.jar",

Due to the recent report the SpringShell vulnerability, can this be mitigated
@chadlwilson
Copy link
Member

According to https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted and all information I have read at this time, the vulnerability is only exploitable via Apache Tomcat in a particular configuration.

GoCD does not use Apache Tomcat; it uses Jetty so at this time I do not believe GoCD is affected by this.

If on further research it is discovered that it also affects other servlet containers such as Jetty this will have to be reconsidered.

@chadlwilson chadlwilson pinned this issue Apr 1, 2022
@chadlwilson chadlwilson added security Pull requests that address a security vulnerability dependencies java Pull requests that update Java code labels Apr 1, 2022
@moritz
Copy link
Contributor

moritz commented Apr 1, 2022

Just for the record: There is also CVE-2022-22963, but it affects spring 3.2.2 and some older versions; gocd uses 4.3.30.

@chadlwilson
Copy link
Member

CVE-2022-22963 relates to Spring Cloud Function which GoCD does not use. (GoCD doesn't use any of Spring Cloud at all right now)

Note that the Spring Cloud batch of projects use a completely different versioning scheme and release cadence both to Spring Framework and Spring Boot, so you cannot compare version numbers between these.

@moritz
Copy link
Contributor

moritz commented Apr 1, 2022

thanks for the clarification @chadlwilson.

@chadlwilson
Copy link
Member

Although GoCD does use war deployment, in addition to the notes above, there is jetty/jetty.project#7817 (comment) from the Jetty developers confirming that there is no similar vulnerability with the classloader used within Jetty for loading WAR files.

Accordingly, at this stage I will close this.

With respect to noise from security scans which will possibly highlight this as a possible vulnerability, it will have to be addressed over time once we are able to upgrade Spring Framework to a later version. There are a few blockers to doing so right now, including Hibernate support and migrating away from use of some limited Velocity templating whose support was dropped in Spring 5.

@chadlwilson chadlwilson mentioned this issue Apr 8, 2022
Merged
@chadlwilson chadlwilson closed this as not planned Won't fix, can't repro, duplicate, stale Oct 8, 2022
@chadlwilson chadlwilson unpinned this issue Nov 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies java Pull requests that update Java code security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add suppression commentary for SpringShell chadlwilson/gocd
3 participants
@moritz @avatarworf @chadlwilson