This is a notification for product news or an alert. If you have a question, please start a new discussion

ALERT : Vulnerability in Spring Framework (Spring MVC or Spring WebFlux or Spring4Shell)

A Security Alert, CVE-2022-22695, has been raised for the Spring Framework which encompasses Spring MVC or Spring WebFlux. 

Another article from Kaspersky, Spring4Shell, mentions the Spring4Shell critical vulnerability as well.

The description of the alert is:

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Development have looked into this and concluded that 

  • The Java Web Server leverages JDK8,
  • The application run on Tomcat as JAR deployment,
  • The Spring part of component Apache Axis2 Spring is not used. 

This means that the prerequisites for the exploit are not met for X3 (JDK9 or higher, Packaged as WAR, spring dependency) as Sage X3 uses JDK 8 rather than JDK9.