On Spring Framework vulnerability (Spring4Shell)

Hi everyone,

A couple days ago a critical security vulnerability was found in the Spring Framework: https://tanzu.vmware.com/security/cve-2022-22965

As stated in the report, the prerequisites for the exploit are:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

Additionally, the known exploit scenarios involve the use of POJOs bound to request parameters in Spring MVC controllers. Such use case in CUBA platform exists only in the WebDAV add-on. So most probably your project is vulnerable only if you use WebDAV or if you have custom Spring MVC controllers with POJOs in request parameters. Consider also that WebDAV endpoints require authentication, so the probablility of a real attack is low.

Nevertheless, we recommend updating the spring-webmvc dependency in your project. If you are using CUBA v.7.2, it can be done by adding the following line to your build.gradle:

configure(globalModule) {
    dependencies {
        // ...

If you are on CUBA 6.10 and hence on Java 8, your application is not vulnerable.

Next week we will release a new version 7.2.19 of the CUBA platform with updated dependencies (see https://github.com/cuba-platform/cuba/issues/3265). After upgrading your project to CUBA 7.2.19, remove the explicit dependency on spring-webmvc from your build.gradle.

For recommendations on Jmix projects, see https://forum.jmix.io/t/on-spring-framework-vulnerability-spring4shell/1297