I've been asked the question below by one client and was wondering if anyone else had been asked the same question.
Is there any known issue with SAGE due to the recently discovered Java Spring zero-day exploit? Notes copied below for your convenience;
A zero-day exploit in the Spring Core module of the Spring Framework was discovered that results in unauthenticated Remote Code Execution (RCE) by an attacker sending a malicious HTTP request to a target system. This package is used in many Java-based applications and while it is easy to exploit, the application needs to be configured in such a way for an exploit to be successful. Spring Boot is also affected by this vulnerability as it incorporates the Spring Framework. Other applications that incorporate the Spring Framework that are affected by this vulnerability are expected to be announced over the next few days.
According to Spring, the following requirements must be met for an application to be vulnerable, however they caution that there may be other ways in which this vulnerability can be exploited so this may not be a complete list of requirements at this time:
- Java Development Kit (JDK) 9 or greater
- Apache Tomcat as the Servlet container
- Packaged as a WAR
- spring-webmvc or spring-webflux dependency
Affected Spring Framework and Spring Boot Versions:
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older unsupported versions
Spring Boot versions prior to 2.6.6 and 2.5.12