Spring Framework RCE, CVE-2022-22965
source link: https://www.jenkins.io/blog/2022/03/31/spring-rce-CVE-2022-22965/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
A remote code execution vulnerability has been identified in the Spring Framework.
This vulnerability is identified as CVE-2022-22965.
Spring officially reacted early in an early announcement.
Spring4Shell in Jenkins Core and Plugins
The Jenkins security team has confirmed that the Spring vulnerability is not affecting Jenkins Core. There is no impact because we are using Stapler as a servlet, and neither Spring MVC nor Spring WebFlux.
An analysis was done on the plugins to determine whether some were using Spring in a dangerous way. No impact was found.
The dangerous library is included as a dependency of spring-security-web, which is not yet updated to include the fixed version.
The presence of Spring Framework is not enough to make the application vulnerable.
Spring4Shell in the Jenkins Infrastructure
The Jenkins infrastructure and security teams have confirmed that the Spring vulnerability is not affecting any part of the Jenkins infrastructure.
The following applications are Java applications that mention Spring as a dependency:
-
The web service customize.jenkins.io was stopped out of an abundance of caution.
-
The API of the web service plugins.jenkins.io is not affected, as it runs with JDK 8 and only GlassFish servlets.
-
The web service accounts.jenkins.io is not affected, as it also runs with the JDK 8 and uses Stapler as a servlet.
We may decide to disable some services if we discover other vulnerabilities. You can see the status of services on the status page at status.jenkins.io.
Further Updates
We may update this blog post, if there are any corrections to be made, and in that case we’ll clearly call those out at the top.
About the Authors
Wadeck is the Jenkins security officer, leading the security team in improving Jenkins security. He likes to provide solutions that are both useful and easy to use.
Damien is the Jenkins Infrastructure officer and a software engineer at CloudBees working as a Site Reliability Engineer for the Jenkins Infrastructure project. Not only he is a decade-old Hudson/Jenkins user but also an open-source citizen who participates in Updatecli, Asciidoctor, Traefik and many others.
Discuss
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK