CVE-2022-22965 - Details and action plan

IriusRisk uses the Spring Framework version 4.3.23 that is affected by CVE-2022-22965, however, this vulnerability cannot be exploited in standard installations of IriusRisk because we use OpenJDK version 8 which is not exploitable.  

If you are an onprem customer and use a non-standard installation with Java 9 or later, then action is required to mitigate the risk of compromise.

The Spring engineering team has published [1] two mitigations that make this vulnerability non exploitable, they are: 

• To use Java version 8 [2]

or

• To use Tomcat versions 10.0.20, 9.0.62, and 8.5.78 that include a mitigation for this issue at the Tomcat level. 

Although we already have Java 8 in place, our engineering team will release an updated docker image with version 9.0.62 of Tomcat [3] as an additional mitigation step. Extra alerting and monitoring have been added to our SaaS instances so that we can detect and/or block any exploit attempt. 

Actions Required: 

• If you are a SaaS customer: 

• No action is required.  The systems are not exploitable because of the use of Java 8, and we will upgrade the systems with the additional mitigations in place.

• If you have an on-premises installation with the default docker images provided by IriusRisk:

• No action is required.  An upgrade to the images will be provided shortly that contain the additional mitigations.

• If you have an on-premises installation and are using your own JDK:

• If you are using Java 9 or greater then action is required:
• Switch to using Java 8

Or 

• Upgrade to Tomcat versions 10.0.20, 9.0.62, and 8.5.78

References:

• [1] https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative 
• [2] https://wiki.openjdk.java.net/display/jdk8u/Main
• [3] https://tomcat.apache.org/tomcat-9.0-doc/changelog.html 

Further mitigations planned as of 6th of April 08:00 EST

1- We have deployed a WAF rule blocking the exploit payload.
2- We have published our docker containers with the latest versions of tomcat8 and 9 that include the mitigation.

Actions Required: 

• If you are a SaaS customer: 
  • • No action is required, the mitigations will be deployed in the planned updates tomorrow (06/04/22).

• If you have an on-premises installation with the default docker images provided by IriusRisk:
  • • Please pull and install the latest container from our repository.