Summary
Hello, according to the following sources a SpringShell 0 day vulnerability has been found: https://github.com/spring-projects/spring-framework/pull/28075 https://www.contrastsecurity.com/security-influencers/new-spring4shell-vulnerability-confirmed-what-it-is-and-how-to-be-prepared
The Spring Core impacted versions are till 5.3.17, we have seen that 6 hours ago the Spring Framework 5.3.18 has been released and it should fix the issue according to the second post where they state "Upgrade Spring Framework to 5.3.18 or 5.2.20 which mitigates the vulnerability."
Could you please release an upgrade of Spring Security 5.4.x with Spring Framework 5.2.20 and 5.6.x with Spring Framework 5.3.18?
Comment From: rwinch
Thank you for reaching out. We plan on providing our regular monthly patch release on April 18th, but we are not treating it as critical because Spring Security is not vulnerable to the exploit. This means we do not plan on providing a release with updated dependency versions in an expedited fashion.
While Spring Security uses Spring Framework (which contains the vulnerability), context matters. For example, JDK deserialization can provide exploits if untrusted data is sent to be deserialized. This does not mean that any application that uses JDK deserialization has a CVE. Similarly, if untrusted data is sent through methods within Spring Framework it can lead to the most recent Spring CVE. Spring Security does not send untrusted data through the code path and thus is not vulnerable.
If you are using spring-webflux or spring-webmvc, then it is advisable to update Spring Framework version as you may be impacted. These dependencies must explicitly be added (Spring Security does not bring them in), so updating them is necessary even if Spring Security updated its dependencies.
That said, if you use spring-webmvc or spring-webflux, then you may be vulnerable. If that is the case, please update your Spring Framework versions accordingly. You can find more up to date information at https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted
Comment From: Staticsubh
• JDK 9 or higher • Apache Tomcat as the Servlet container • Packaged as WAR • spring-webmvc or spring-webflux dependency
@rwinch Out of the all the prerequisites mentioned above, If I am not using spring-webflux or spring-webmvc, does it mean our application is safe from this vulnerability. We are using Jdk 11 with Spring 4.3.30 and Jboss EAP7.3.1
Comment From: rasantel
Should we expect any issues in Spring Security if we force the Spring Framework to be 5.3.18, considering that Spring Security 5.6.2 depends on 5.3.16?
Comment From: rwinch
Spring Security should work with Spring Framework as long as it is the same minor version.
Should we expect any issues in Spring Security if we force the Spring Framework to be 5.3.18, considering that Spring Security 5.6.2 depends on 5.3.16?
Spring Security will work with Spring Framework as long as the major and minor versions align, so incrementing the patch version is expected to work.
Comment From: rwinch
• JDK 9 or higher • Apache Tomcat as the Servlet container • Packaged as WAR • spring-webmvc or spring-webflux dependency
@rwinch Out of the all the prerequisites mentioned above, If I am not using spring-webflux or spring-webmvc, does it mean our application is safe from this vulnerability. We are using Jdk 11 with Spring 4.3.30 and Jboss EAP7.3.1
Spring 4.x reached EOL Dec 31 2020 (related blog) and thus is vulnerable to other exploits. You can deduce which vulnerabilities by looking at CVEs reported against Spring since the EOL was reached and presume that 4.x is vulnerable to those exploits. I'd strongly recommend upgrading.
Comment From: blackat
Thank you for reaching out. We plan on providing our regular monthly patch release on April 18th, but we are not treating it as critical because Spring Security is not vulnerable to the exploit. This means we do not plan on providing a release with updated dependency versions in an expedited fashion.
While Spring Security uses Spring Framework (which contains the vulnerability), context matters. For example, JDK deserialization can provide exploits if untrusted data is sent to be deserialized. This does not mean that any application that uses JDK deserialization has a CVE. Similarly, if untrusted data is sent through methods within Spring Framework it can lead to the most recent Spring CVE. Spring Security does not send untrusted data through the code path and thus is not vulnerable.
If you are using spring-webflux or spring-webmvc, then it is advisable to update Spring Framework version as you may be impacted. These dependencies must explicitly be added (Spring Security does not bring them in), so updating them is necessary even if Spring Security updated its dependencies.
That said, if you use spring-webmvc or spring-webflux, then you may be vulnerable. If that is the case, please update your Spring Framework versions accordingly. You can find more up to date information at https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted
Thanks a lot @rwinch for your reply, much appreciated.