Spring4shell is a remote command execution (RCE) vulnerability (CVE-2022-22965). This applies to Spring (Java) applications under specific circumstances.
Although our product is a Spring application written in Java, SFTP Gateway does not meet the conditions of this CVE (e.g. it is not packaged as a WAR). Also, we were not able to reproduce the vulnerability in our initial testing of this CVE.
Versions and CVE conditions
For an application to be vulnerable, it would have to match several conditions outlined in the Spring advisory.
SFTP Gateway matches the following conditions:
- Use of JDK 9 or higher
- Use of
spring-webmvcas a dependency
- Use Spring framework versions
SFTP Gateway does not match the following conditions:
- Packaged as a traditional WAR (we are using a Spring bootable JAR)
If you are concerned with this CVE, we recommend that your security team manually verify whether they can reproduce the vulnerability. Also, make sure that web application ports are restricted to IP addresses for sysadmins only.