CVE-2022-22965 Spring4Shell RCE analysis

The Spring Project has announced a zero day vulnerability in the Spring Framework on March 31st 2022, CVE-2022-22965. The announcement on the Spring Blog makes it seem very unlikely that any Aerospike products are exposed.

If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit.

These are the prerequisites for the exploit:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR (in contrast to a Spring Boot executable jar)
  • spring-webmvc or spring-webflux dependency

The Aerospike REST gateway is a Spring Boot application, distributed as an executable jar.

However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

While we have not identified a vulnerability that directly affects the REST gateway, we intend to release

  • A new REST gateway version 1.10 (currently on Spring Boot 2.5.5 / Spring Framework 5.3.10) upgrade to Spring Boot 2.5.12
  • Potentially new REST gateway versions 1.8 , 1.9 (both use Spring Boot 2.4.5 / Spring Framework 5.3.6) if the Spring Project releases a new Spring Boot 2.4.x with the fix. Otherwise consider upgrading your REST gateway to its upcoming 1.10 release.
1 Like

Update for 2022-04-03: REST gateway version 1.11.0 is now available. This version uses Spring Boot 2.5.12.