Vulnerability Update - Spring4Shell (CVE-2022-22963)
Background
Spring is a very popular application framework that allows software developers to quickly and easily develop Java applications with enterprise-level features. These applications can then be deployed on servers, such as Apache Tomcat, as stand-alone packages with all the required dependencies.
Events
To help keep customers informed of our latest responses to the Spring4Shell issue, we have created an events table to detail the key steps we have/are taking;
Date | Event |
|---|---|
Apr 1, 2022 | We became aware of a vulnerability known as Spring4Shell (CVE-2022-22963), and we’re closely monitoring this |
Currently, with the information available on Spring4Shell, we do not believe the Dashboard will be vulnerable. This is because of following reasons:
The requirement for JDK9+ which we do not yet support
We do not directly use Spring and investigation by Grails, which we do use, has determined they are not affected because they have their own implementation of the affected area
We will be shortly making available the very latest release of Tomcat which contains additional fixes which would provide a further layer of protection. In addition to this, we are continually working on dependency upgrades to ensure the latest fixes are in place
NEWS: We are pleased to share that our March 24 dashboard release is now available to download, see HERE for more details