Spring4shell CVE · SFTP Gateway Support

TLDR - Quick Summary

What: SFTP Gateway status regarding Spring4shell CVE-2022-22965

Status: Not vulnerable - SFTP Gateway uses bootable JAR, not WAR packaging

Recommendation: Restrict web admin ports to sysadmin IPs only

Verification: Have security team test if concerned

Overview

Spring4shell is a remote command execution (RCE) vulnerability (CVE-2022-22965). This applies to Spring (Java) applications under specific circumstances.

Although our product is a Spring application written in Java, SFTP Gateway does not meet the conditions of this CVE (e.g. it is not packaged as a WAR). Also, we were not able to reproduce the vulnerability in our initial testing of this CVE.

Versions and CVE conditions

For an application to be vulnerable, it would have to match several conditions outlined in the Spring advisory.

SFTP Gateway matches the following conditions:

Use of JDK 9 or higher
Use of spring-webmvc as a dependency
Use Spring framework versions 5.3.0 to 5.3.17 (we use 5.3.12)

SFTP Gateway does not match the following conditions:

Packaged as a traditional WAR (we are using a Spring bootable JAR)

If you are concerned with this CVE, we recommend that your security team manually verify whether they can reproduce the vulnerability. Also, make sure that web application ports are restricted to IP addresses for sysadmins only.