Compart - Document- and Output-Management

Customer Information on CVE-2022-22965
("Spring4Shell")

Dear Compart customers,

As you may have heard from the press, a vulnerability in a widely used framework for java-based enterprise application development (Spring Framework) was recently discovered and published as CVE-2022-22965. Immediately after this security vulnerability became known on March 31, 2022, Compart began investigating possible effects on its products and taking counter measures.

 

The vulnerability is fixed in the following versions of the Spring framework:

  • 5.3.18+
  • 5.2.20+

Spring Boot versions 2.5.12 and 2.6.6 which depend on the above have also been published. CVE-2022-22965 only affects Spring versions using Java >= 9 (Java 8 is not affected).

According to https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-I-impacted :

  • The vulnerability involves ClassLoader access, and therefore in addition to the specific attack reported with a Tomcat specific ClassLoader, other attacks may be possible against a different custom ClassLoader
  • The issue relates to data binding used to populate an object from request parameters (either query parameters or form data). Data binding is used for controller method parameters that are annotated with @ModelAttribute or optionally without it, and without any other Spring Web annotation
  • The issues does not relate to @RequestBody controller method parameters (e.g. JSON deserialization). However, such methods may still be vulnerable if they have another method parameter populated via data binding from query parameters

 

Which Compart products are affected?

The following Compart products utilize versions of the Spring frameworks susceptible to the CVE-2022-22965 vulnerability, however, they do not use the annotation for data binding controller method parameters that result in the vulnerability:

  • DocBridge® Pilot
  • DocBridge® Authentication and Authorization
  • DocBridge® POM (Postal Optimization Module)
  • DocBridge® Delta
  • DocBridge® Document Desktop

 

What actions is Compart taking to mitigate the risk?

Hotfixes

Despite the fact that the DocBridge products indicated in the section "Which Compart products are affected" do not use the compromised annotation for data binding controller method parameters, Compart has nevertheless prepared hotfixes for these affected products, upgrading the Spring framework to versions in which the vulnerability has been mitigated (5.3.18+, and 5.2.20+ as indicated above).

  • Hotfixes are available from the Compart Support organization. Patches will eventually be available for download on my.compart.com.
  • Please note: Fixes and patches will only be provided for supported versions of DocBridge products (e.g. Pilot 4.1.0, 4.0.4 and 3.9.10).

What about other products such as DocBridge® Mill or DocBridge® Impress?

  • Compart products not mentioned on this page are not using Java and hence are not affected by CVE-2022-22965.

What else is Compart doing to minimize the risk posed by Spring4Shell?

Immediately after the security gap became known, all internal IT systems were checked for vulnerability in addition to our own software, the recommended counter measures were initiated and available patches were installed. We will continue to monitor the situation closely and inform our customers promptly if new information becomes available.

We Are Here to
Answer Your Questions