Recently there was a remote code execution vulnerability found in the Spring Framework. The vulnerability impacts Spring MVC and Spring WebFlux applications running JDK 9+.
In order to determine if you are impacted, the following requirements must be met:
- JDK 9 or higher
- Apache Tomcat as the Servlet container.
- Packaged as a traditional WAR (in contrast to a Spring Boot executable jar).
- spring-webmvc or spring-webflux dependency.
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.
The mitigation for the vulnerability is to upgrade Spring Framework to 5.3.18+ and 5.2.20+. No other workarounds are necessary.
For older, unsupported Spring Framework versions, upgrading to Apache Tomcat 10.0.20, 9.0.62, or 8.5.78 provides protection against the reported attack vector.
What CyberMaxx is doing in response:
- CyberMaxx’s infrastructure and products are not impacted by this vulnerability
- We are monitoring indicators of compromise and establishing alerts for our security products as information becomes available
If you have questions, please contact your CyberMaxx Account Manager or our Security Operations Center at 888-468-1418.
References: