Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
General information
This article contains information related to the remote code execution (RCE) vulnerability affecting Spring, CVE-2022-22965 and CVE-2022-22963.
These CVEs were reported on the 31/3 and Nexus security team has been investigating this closely since they became official.
The Spring Framework provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.
Official sites for the CVEs:
https://tanzu.vmware.com/security/cve-2022-22965
https://tanzu.vmware.com/security/cve-2022-22963
The Nexus Security team is investigating the impact of the Spring related CVEs (CVE-2022-22963 and CVE-2022-22965), and the possible impact on our components.
Mitigation
Nexus development teams are investigating the best ways of mitigating the vulnerabilities.
Current investigations provide no means of workaround, other than to provide a workaround with corrections in the code.
Nexus components
This list contains the components from Nexus, and their respective affected versions.
Component | Affected versions CVE-2022-22965 | Affected versions CVE-2022-22963 | Comment |
---|---|---|---|
Smart ID Certificate Manager | Not affected | Not affected | Does not use Spring |
Nexus OCSP Responder | Not affected | Not affected | Does not use Spring |
Nexus Timestamp Server | Not affected | Not affected | Does not use Spring |
Smart ID Desktop App/Client | Not affected | Not affected | Does not use Spring |
Smart ID Mobile App | Not affected | Not affected | Does not use Spring |
Nexus Card SDK | Not affected | Not affected | Does not use Spring |
Smart ID Physical Access | Not affected | Not affected | Does not use Spring |
Smart ID Digital Access (previously named Hybrid Access Gateway – HAG) | Not affected | Not affected | Does not use Spring |
Smart ID Identity Manager/PRIME | Any version running on JRE 11. Smart ID version 20.11 and above requires JRE 11, thus they are affected. For PRIME version 3.12 and below, they are affected only if you choose to run them with JRE 11 instead of JRE 8. | Not affected (does not use spring-cloud-functions) | Further investigations ongoing. Patch implementation and mitigation in planning |
Smart ID Self-Service (Angular/SpringBoot-based) | Any version running on JRE 11. Smart ID version 20.11 and above requires JRE 11, thus they are affected. For older versions, they are affected only if you choose to run them with JRE 11 instead of JRE 8. | Not affected (does not use spring-cloud-functions) | Further investigations ongoing. Patch implementation and mitigation in planning |
Smart ID Self-Service Legacy USSP (Wicket-based) | Any version running on JRE 11. Smart ID version 20.11 and above requires JRE 11, thus they are affected. For older versions, they are affected only if you choose to run them with JRE 11 instead of JRE 8. | Not affected (does not use spring-cloud-functions) | Further investigations ongoing. Patch implementation and mitigation in planning |
Smart ID Messaging component - Hermod | In Hermod 3.3.3 Spring Boot has been updated to ensure that no version is affected by the Spring4Shell vulnerability. | Not affectedFurther analysis required. | Recommendation from Nexus is for you as a customer to verify if you have deployed a plain WAR file in tomcat. |
Nexus ID06 Service | Not affected | Not affected | Services patched |
Nexus Go Cards | Not affected | Not affected | Services patched |
Latest update date of this article
2022-04-04
Table of contents
Table of Contents