Document toolboxDocument toolbox

Spring4Shell Vulnerability

General information

This article contains information related to the remote code execution (RCE) vulnerability affecting Spring, CVE-2022-22965 and CVE-2022-22963.

These CVEs were reported the 31/3 and Nexus security team has been investigating this closely since they became official.

The Spring Framework provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Official sites for the CVEs:

https://tanzu.vmware.com/security/cve-2022-22965
https://tanzu.vmware.com/security/cve-2022-22963

The Nexus Security team has investigated the impact of the Spring related CVEs (CVE-2022-22963 and CVE-2022-22965), and the possible impact on our components. The component specific information can be seen in the table below.

Nexus components

This list contains the components from Nexus, and their respective affected versions.

Component

Affected versions CVE-2022-22965

Affected versions CVE-2022-22963

Comment

Component

Affected versions CVE-2022-22965

Affected versions CVE-2022-22963

Comment

Smart ID Certificate Manager

Not affected

Not affected

Does not use Spring

Nexus OCSP Responder

Not affected

Not affected

Does not use Spring

Nexus Timestamp Server

Not affected

Not affected

Does not use Spring

Smart ID Desktop App/Client

Not affected

Not affected

Does not use Spring

Smart ID Mobile App

Not affected

Not affected

Does not use Spring

Nexus Card SDK

Not affected

Not affected

Does not use Spring

Smart ID Physical Access

Not affected

Not affected

Does not use Spring

Smart ID Digital Access (previously named Hybrid Access Gateway – HAG)

Not affected

Not affected

Does not use Spring

Smart ID Identity Manager/PRIME

Versions running on JRE11 are potentially affected, but not exploitable.

For PRIME version 3.12 and below, they are affected only if you choose to run them with JRE 11 instead of JRE 8.

Not affected

(does not use spring-cloud-functions)

The underlying source code of this component filters correctly for the content type. Additionally, unmarshalling from URL encoded data to form data is not used in the program code.

To have an adequate protection we strongly recommend using Apache Tomcat version 10.0.20, 9.0.62, or 8.5.78 or above.

For Smart ID on Docker versions 21.10.3, 21.04.9, and 20.11.6, Apache Tomcat has been updated to the latest, non-vulnerable version.

Smart ID Self-Service (Angular/SpringBoot-based)

Versions running on JRE11 are potentially affected, but not exploitable.

For PRIME version 3.12 and below, they are affected only if you choose to run them with JRE 11 instead of JRE 8.

Not affected

(does not use spring-cloud-functions)

The underlying source code of this component filters correctly for the content type. Additionally, unmarshalling from URL encoded data to form data is not used in the program code.

To have an adequate protection we strongly recommend using Apache Tomcat version 10.0.20, 9.0.62, or 8.5.78 or above.

For Smart ID on Docker versions 21.10.3, 21.04.9, and 20.11.6, Apache Tomcat has been updated to the latest, non-vulnerable version.

Smart ID Self-Service Legacy USSP (Wicket-based)

Versions running on JRE11 are potentially affected, but not exploitable.

For PRIME version 3.12 and below, they are affected only if you choose to run them with JRE 11 instead of JRE 8.

Not affected

(does not use spring-cloud-functions)

The underlying source code of this component filters correctly for the content type. Additionally, unmarshalling from URL encoded data to form data is not used in the program code.

To have an adequate protection we strongly recommend using Apache Tomcat version 10.0.20, 9.0.62, or 8.5.78 or above.

If you run on Docker, the new Apache Tomcat version will be included within the upcoming minor releases for all versions.

Smart ID Messaging component - Hermod

In Hermod 3.3.3 Spring Boot has been updated to ensure that no version is affected by the Spring4Shell vulnerability.

Not affected

Recommendation from Nexus is for you as a customer to verify if you have deployed a plain WAR file in tomcat.

Nexus ID06 Service

Not affected

Not affected

Services patched

Nexus Go Cards

Not affected

Not affected

Services patched



Latest update date of this article

2022-04-28



Table of contents

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions