Sage X3 UK

Welcome to the Sage X3 Support Group on Community Hub! Available 24/7, the forums are a great place to ask and answer product questions, as well as share tips and tricks with Sage peers, partners, and pros.

Announcement!

This is a notification for product news or an alert. If you have a question, please start a new discussion

ALERT : Vulnerability in Spring Framework (Spring MVC or Spring WebFlux or Spring4Shell)

Posted By Richard Perrins over 2 years ago

A Security Alert, CVE-2022-22695, has been raised for the Spring Framework which encompasses Spring MVC or Spring WebFlux.

Another article from Kaspersky, Spring4Shell, mentions the Spring4Shell critical vulnerability as well.

The description of the alert is:

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Development have looked into this and concluded that

The Java Web Server leverages JDK8,
The application run on Tomcat as JAR deployment,
The Spring part of component Apache Axis2 Spring is not used.

This means that the prerequisites for the exploit are not met for X3 (JDK9 or higher, Packaged as WAR, spring dependency) as Sage X3 uses JDK 8 rather than JDK9.

Sage X3 UK

ALERT : Vulnerability in Spring Framework (Spring MVC or Spring WebFlux or Spring4Shell)

COMMUNITY

COMPANY

PARTNERS

SUPPORT & TRAINING