This page will be updated over the coming days as and when new information is available.

Introduction

Two Remote Code Execution vulnerabilities (RCE) have been found recently in Spring Framework (the java based application framework):

See also:

CVE-2022-22963

In summary, any java application that uses the following is potentially vulnerable to this CVE:

Spring have fixed this vulnerability in the following releases:

CVE-2022-22965

In summary, any java application that uses the following combination of items is potentially vulnerable to this CVE:

Spring have fixed this vulnerability in the following releases:

What information does this page provide?

CAST makes use of Spring Framework / Spring Boot / Spring Cloud Function in various products, therefore this page explains:

Which CAST products are affected?

ProductCVE-2022-22963CVE-2022-22965
CAST Dashboards (standalone and embedded via the integrated RestAPI)

Not affected (Spring Cloud is used in 2.x, however, the Spring Cloud Function itself is not used).

All releases (when deployed on Apache Tomcat via a WAR file AND with Java 9 or above).

AIP CoreNot affected.Not affected.
CAST ImagingNot affected.Not affected.
AIP Console/AIP Node

Not affected (Spring Cloud is used in 2.x, however, the Spring Cloud Function itself is not used).

Not affected (impacted Spring Framework JARs are used in all releases, however, they are not deployed via a traditional WAR).

CAST official extensionsNot affected.Not affected.

How does CAST plan to mitigate the threat?

CAST will release updates to affected products in the coming days - these updates will contain Spring Framework 5.3.18 / 5.2.20 and/or Spring Boot 2.6.6 / 2.5.12 which fix the vulnerabilities. Only the most recent releases of each affected product will be patched, therefore this necessarily means upgrading to the newest release to receive the patch (CAST highly recommends this in all situations where possible).

Affected ProductProposed release containing fixesDetail of fixes provided
CAST Dashboards (standalone)

2.6.1-funcrel

Scheduled soon.


1.28.7-funcrel

Scheduled soon.


What you can do to prevent the vulnerability from being exploited?

If you are waiting for a patch from CAST for an impacted product, or you cannot upgrade to the CAST product release containing Spring Framework 5.3.18 / 5.2.20  Spring Boot 2.6.6 / 2.5.12, you can perform the action listed below to mitigate the vulnerability.

Upgrade Apache Tomcat to mitigate CVE-2022-22965

Apache has released updates to Apache Tomcat which mitigate the threat posed by CVE-2022-22965 as discussed in https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative. The CVE is not present in Apache Tomcat, however, the new releases include a change to disable the WebappClassLoaderBase.getResources() method which prevents CVE-2022-22965 from being exploited.

Therefore, CAST highly recommends upgrading your deployed Apache Tomcat to the following releases (supported by CAST for deployment of CAST Dashboards/RestAPI) wherever possible: