Hi everyone,
A couple days ago a critical security vulnerability was found in the Spring Framework: https://tanzu.vmware.com/security/cve-2022-22965
As stated in the report, the prerequisites for the exploit are:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency
Additionally, the known exploit scenarios involve the use of POJOs bound to request parameters in Spring MVC controllers. Such use case in the Jmix framework exists only in the WebDAV add-on. So most probably your project is vulnerable only if you use WebDAV or if you have custom Spring MVC controllers with POJOs in request parameters. Consider also that WebDAV endpoints require authentication, so the probablility of a real attack is low.
Nevertheless, we recommend updating the spring-webmvc dependency in your project. It can be done by adding the following line to your build.gradle
:
dependencies {
implementation 'org.springframework:spring-webmvc:5.3.18'
// ...
Next week we will release a new version 1.2.2 of the Jmix framework with updated dependencies (see https://github.com/jmix-framework/jmix/issues/645). After upgrading your project to Jmix 1.2.2, remove the explicit dependency on spring-webmvc from your build.gradle
.
For recommendations on CUBA projects, see On Spring Framework vulnerability (Spring4Shell) - CUBA.Platform