JAVA zero day exploit

I've been asked the question below by one client and was wondering if anyone else had been asked the same question. 

Is there any known issue with SAGE due to the recently discovered Java Spring zero-day exploit?  Notes copied below for your convenience;

A zero-day exploit in the Spring Core module of the Spring Framework was discovered that results in unauthenticated Remote Code Execution (RCE) by an attacker sending a malicious HTTP request to a target system. This package is used in many Java-based applications and while it is easy to exploit, the application needs to be configured in such a way for an exploit to be successful. Spring Boot is also affected by this vulnerability as it incorporates the Spring Framework. Other applications that incorporate the Spring Framework that are affected by this vulnerability are expected to be announced over the next few days.

According to Spring, the following requirements must be met for an application to be vulnerable, however they caution that there may be other ways in which this vulnerability can be exploited so this may not be a complete list of requirements at this time:

  • Java Development Kit (JDK) 9 or greater
  • Apache Tomcat as the Servlet container
  • Packaged as a WAR
  • spring-webmvc or spring-webflux dependency

Affected Spring Framework and Spring Boot Versions:
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older unsupported versions
Spring Boot versions prior to 2.6.6 and 2.5.12

  • Information regarding Java and Spring Framework vulnerabilities

    Summary

    This week (March 30 and 31, 2022) we became aware of an issue with Java and Spring Framework vulnerabilities and have been investigating the potential impact on our solutions.

    Resolution

    Sage takes the security of its customer solutions extremely seriously, and proactively undertakes testing and monitoring to identify and fix potential vulnerabilities across its products. Following the announcement of the Java and Spring Framework vulnerabilities on March 30 and 31, 2022, Sage has been investigating the potential impact on our solutions.

    Our initial findings indicate that Sage products are unlikely to be impacted by the announced vulnerabilities due to limited use of the Spring Framework and the affected Java versions (version 9 and above).

    Working with our industry peers and in an abundance of caution, where we have identified the potential for a vulnerability due to the use of the Spring Framework, we are updating products as soon as possible to the last recommended version which is not vulnerable to this issue.

    If you have further questions, please speak to your account manager in the first instance.  We thank you for your understanding and patience in this matter.

  • FormerMember
    FormerMember in reply to Wayne Schulz

    Always fun fixing issues with a vitual machine.