Dear Compart customers,
As you may have heard from the press, a vulnerability in a widely used framework for java-based enterprise application development (Spring Framework) was recently discovered and published as CVE-2022-22965. Immediately after this security vulnerability became known on March 31, 2022, Compart began investigating possible effects on its products and taking counter measures.
The vulnerability is fixed in the following versions of the Spring framework:
- 5.3.18+
- 5.2.20+
Spring Boot versions 2.5.12 and 2.6.6 which depend on the above have also been published. CVE-2022-22965 only affects Spring versions using Java >= 9 (Java 8 is not affected).
According to https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-I-impacted :
- The vulnerability involves ClassLoader access, and therefore in addition to the specific attack reported with a Tomcat specific ClassLoader, other attacks may be possible against a different custom ClassLoader
- The issue relates to data binding used to populate an object from request parameters (either query parameters or form data). Data binding is used for controller method parameters that are annotated with @ModelAttribute or optionally without it, and without any other Spring Web annotation
- The issues does not relate to @RequestBody controller method parameters (e.g. JSON deserialization). However, such methods may still be vulnerable if they have another method parameter populated via data binding from query parameters
Which Compart products are affected?
The following Compart products utilize versions of the Spring frameworks susceptible to the CVE-2022-22965 vulnerability, however, they do not use the annotation for data binding controller method parameters that result in the vulnerability:
- DocBridge® Pilot
- DocBridge® Authentication and Authorization
- DocBridge® POM (Postal Optimization Module)
- DocBridge® Delta
- DocBridge® Document Desktop