RE: RE: CVE-2022-22965 (Spring4shell) vulnerability evaluation?

Tobias Liefke, modified 3 Years ago.

CVE-2022-22965 (Spring4shell) vulnerability evaluation?

Junior Member Posts: 78 Join Date: 11/23/12 Recent Posts

As even the latest Liferay CE version 7.4.18 from 2022-04-01 contains the vulnerable spring-webmvc.jar in version 5.2.10, I wanted to ask:

It there an official evaluation available, if and how Liferay is affected by CVE-2022-22965?

David H Nebinger, modified 3 Years ago.

RE: CVE-2022-22965 (Spring4shell) vulnerability evaluation?

Liferay Legend Posts: 14933 Join Date: 9/2/06 Recent Posts

Hi Tobias!

The official response has been posted to https://help.liferay.com/hc/articles/5202695113357

The TL;DR version: Liferay contains the vulnerable versions, but they cannot be exploited in a vanilla Liferay environment, but any spring-based customizations (Like SpringPortletMVC, etc) are up to the implementors to evaluate.

New versions of 7.4 will be released with the patched version of Spring (I believe for GA19/U19, but it might get pushed to GA20/U20). Clients using older versions of Liferay should contact support to get an update.

In case you don't have access to the help.liferay.com article, I'm including it below:

Spring4Shell and Spring Cloud Security Advisory

Spring Framework <= 5.3.17, CVE-2022-22963, CVE-2022-22965

Vulnerability Summary

On Mar 31, 2022 critical vulnerabilities were published in the Spring Framework. Spring is a Java library used by many Java based applications worldwide.It is important to note that not all customers are affected by this vulnerability. Please read the details below to determine whether or not you are impacted by this security issue.

What is the concern?

The primary concern is that the vulnerabilities could be used via a simple HTTP request. In some cases the vulnerability is believed to provide attackers with the opportunity to execute program code remotely. Liferay recommends all customers take immediate steps to address the issues.

How is Liferay impacted?

Liferay Portal and DXP contain vulnerable versions of Spring Web MVC. In the non-customized installation there is no known way to exploit the vulnerability, the vulnerable code is not referenced from the product.We advise customers with custom portlets or extending Portal and DXP functionalities to review and upgrade their Spring libraries.

How can I check and mitigate my exposure?

For code customizations, we recommend to read the VMWare Spring announcements:

CVE-2022-22963: https://tanzu.vmware.com/security/cve-2022-22963
CVE-2022-22965: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Will there be a formal fix for this issue?

We are working on updating or patching (depending on version) the Spring Web MVC library to a safe version, the products do not contain Spring Cloud. More updates will be shared on this page.

Questions?

Have more questions about the vulnerability? Don’t hesitate to reach out to Liferay Support or your Customer Success Manager.