Ascertia's response to Spring4Shell security issue

Posted by Sven Prinsloo on Apr 6, 2022 12:02:26 PM

In this blog, we discuss the recent Spring4Shell security issue - and Ascertia's response to it.

What is the Spring Framework?

Spring Framework provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Spring4Shell security issue summary

Ascertia has become aware of a security issue within the Spring Framework which could be exploited by an attacker. No currently released Ascertia products make use of the Spring Framework for any data binding operations. 

Spring4Shell (SpringShell) issues

  • CVE-2022-22965: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.

Further details are available at: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965 

Applicability to Ascertia products

No currently released Ascertia products make use of the Spring Framework for any data binding operations. ADSS Server does include Spring libraries within its file structure, these are used internally to the application.

To ensure that our applications were safe from this exploit, Ascertia has performed the relevant tests on all currently supported versions of ADSS Server, using third party vulnerability assessment tools. The results from these tests indicated that none of our products were vulnerable to this CVE.

Continued investigation and support

Ascertia will continue to monitor this CVE and any related CVEs hereafter and ensure that all remediation is taken to safeguard Ascertia products and customers.

If you have any security-related questions, please contact Ascertia support or your account team.