IriusRisk uses the Spring Framework version 4.3.23 that is affected by CVE-2022-22965, however, this vulnerability cannot be exploited in standard installations of IriusRisk because we use OpenJDK version 8 which is not exploitable.
If you are an onprem customer and use a non-standard installation with Java 9 or later, then action is required to mitigate the risk of compromise.
The Spring engineering team has published [1] two mitigations that make this vulnerability non exploitable, they are:
- To use Java version 8 [2]
or
- To use Tomcat versions 10.0.20, 9.0.62, and 8.5.78 that include a mitigation for this issue at the Tomcat level.
Although we already have Java 8 in place, our engineering team will release an updated docker image with version 9.0.62 of Tomcat [3] as an additional mitigation step. Extra alerting and monitoring have been added to our SaaS instances so that we can detect and/or block any exploit attempt.
Actions Required:
- If you are a SaaS customer:
- No action is required. The systems are not exploitable because of the use of Java 8, and we will upgrade the systems with the additional mitigations in place.
- If you have an on-premises installation with the default docker images provided by IriusRisk:
- No action is required. An upgrade to the images will be provided shortly that contain the additional mitigations.
- If you have an on-premises installation and are using your own JDK:
- If you are using Java 9 or greater then action is required:
- Switch to using Java 8
Or
- Upgrade to Tomcat versions 10.0.20, 9.0.62, and 8.5.78
References:
- [1] https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative
- [2] https://wiki.openjdk.java.net/display/jdk8u/Main
- [3] https://tomcat.apache.org/tomcat-9.0-doc/changelog.html
Further mitigations planned as of 6th of April 08:00 EST
1- We have deployed a WAF rule blocking the exploit payload.
2- We have published our docker containers with the latest versions of tomcat8 and 9 that include the mitigation.
Actions Required:
- If you are a SaaS customer:
-
- No action is required, the mitigations will be deployed in the planned updates tomorrow (06/04/22).
-
- If you have an on-premises installation with the default docker images provided by IriusRisk:
-
- Please pull and install the latest container from our repository.
-
Comments
0 comments
Please sign in to leave a comment.