-
Notifications
You must be signed in to change notification settings - Fork 973
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-22965: Spring Core Remote Code Execution Vulnerability Exploited In the Wild (SpringShell) #10321
Comments
According to https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted and all information I have read at this time, the vulnerability is only exploitable via Apache Tomcat in a particular configuration. GoCD does not use Apache Tomcat; it uses Jetty so at this time I do not believe GoCD is affected by this. If on further research it is discovered that it also affects other servlet containers such as Jetty this will have to be reconsidered. |
Just for the record: There is also CVE-2022-22963, but it affects spring 3.2.2 and some older versions; gocd uses 4.3.30. |
CVE-2022-22963 relates to Spring Cloud Function which GoCD does not use. (GoCD doesn't use any of Spring Cloud at all right now) Note that the Spring Cloud batch of projects use a completely different versioning scheme and release cadence both to Spring Framework and Spring Boot, so you cannot compare version numbers between these. |
thanks for the clarification @chadlwilson. |
Although GoCD does use war deployment, in addition to the notes above, there is jetty/jetty.project#7817 (comment) from the Jetty developers confirming that there is no similar vulnerability with the classloader used within Jetty for loading WAR files. Accordingly, at this stage I will close this. With respect to noise from security scans which will possibly highlight this as a possible vulnerability, it will have to be addressed over time once we are able to upgrade Spring Framework to a later version. There are a few blockers to doing so right now, including Hibernate support and migrating away from use of some limited Velocity templating whose support was dropped in Spring 5. |
gocd/dependencies.gradle
Line 99 in 7edfbe1
gocd/server/build.gradle
Line 907 in 9ed30d5
Due to the recent report the SpringShell vulnerability, can this be mitigated
The text was updated successfully, but these errors were encountered: