Spring4shell CVE
TLDR - Quick Summary
What: Spring4shell RCE vulnerability (CVE-2022-22965) assessment
Status: SFTP Gateway is NOT vulnerable - packaged as bootable JAR, not WAR
Action: Ensure web admin ports are restricted to sysadmin IPs as precaution
Overview
Spring4shell is a remote command execution (RCE) vulnerability (CVE-2022-22965). This applies to Spring (Java) applications under specific circumstances.
Although our product is a Spring application written in Java, SFTP Gateway does not meet the conditions of this CVE (e.g. it is not packaged as a WAR). Also, we were not able to reproduce the vulnerability in our initial testing of this CVE.
Versions and CVE conditions
For an application to be vulnerable, it would have to match several conditions outlined in the Spring advisory.
SFTP Gateway matches the following conditions:
- Use of JDK 9 or higher
- Use of
spring-webmvcas a dependency - Use Spring framework versions
5.3.0to5.3.17(we use5.3.12)
SFTP Gateway does not match the following conditions:
- Packaged as a traditional WAR (we are using a Spring bootable JAR)
If you are concerned with this CVE, we recommend that your security team manually verify whether they can reproduce the vulnerability. Also, make sure that web application ports are restricted to IP addresses for sysadmins only.