Spring4Shell: Security Analysis of the latest Java RCE '0-day' vulnerabilities in Spring

[monze]

Hey

Dows Oxalix use Spring, and thereby is affected by the issue?

Spring4Shell: Security Analysis of the latest Java RCE '0-day' vulnerabilities in Spring
For information: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/

Jacob Mogensen
mySupply Aps

[aaron-kumar]

Oxalis itself do Not use spring-* dependency.
But Oxalis users are advised to check their back-end services for Spring4Shell vulnerabilities.

Am I Impacted? -source : https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
These are the requirements for the specific scenario from the report:

• JDK 9 or higher
• Apache Tomcat as the Servlet container.
• Packaged as a traditional WAR (in contrast to a Spring Boot executable jar).
• spring-webmvc or spring-webflux dependency.
• Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.

However, the nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.

Links:

• https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
• https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/#applying-mitigations
• https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/