Knowledgebase:
(Spring4Shell) CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
21 April 2022 09:00 PM

Updates

Wednesday, April 13,2022 : This article had updates on new releases for Data Hub Framework (DHF) -  DHF 5.7.1  ,  Data Hub Central. - Data Hub Central 5.7.1 

Monday, April 04, 2022: This article had been updated to account for the new guidance and remediation steps in CVE-2022-22965;

Thursday, March 31, 2022: Original article published.

Subject :

(Spring4Shell) CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

Summary :

Wednesday March 30, 2022, reports emerged of a new remote code execution flaw that affects Spring Framework. This vulnerability also popularly known as "Spring4Shell" is a new, previously unknown security vulnerability.

The CVE designation is CVE-2022-22965 with a CVSS Score of 9.8. Spring have acknowledged the vulnerability and released 5.3.18 and 5.2.20 to patch the issue as well as version 2.6.6 for spring-boot .

MarkLogic is aware of this vulnerability and is in the process of assessing the impact to our products and Client API's.

Update on Analysis as of 4/22/2022 - 

1.1. MarkLogic Server

MarkLogic Server, both on-premise or on AWS/Azure are not vulnerable to CVE-2022-22965. 

There are no known impact on Admin GUI, Query Console and Monitoring History/Dashboard. 

1.2. MarkLogic Java Client

No direct impact : In Java Client API, we only used spring-jdbc, 5.2.7

It doesn’t meet the prerequisites listed in CVE-2022-22965 of https://help.marklogic.com/Knowledgebase/Article/View/spring4shell-cve-2022-22965-spring-framework-rce-via-data-binding-on-jdk-9

These are the prerequisites for the exploit:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

Spring-jdbc has a transitive dependency on spring-core and spring beans ( identified as vulnerable ) . Hence, we have upgraded our spring-jdbc to version 5.3.18 which is available in latest Java Client API 5.5.3 Release available on DMC and GitHub.

1.3. MarkLogic Data Hub & Hub Central

MarkLogic Data Hub and Data Hub Central are impacted.  Data Hub Framework (DHF) V 5.7.1 is now available . 

1.4. MarkLogic Data Hub Service

  • Hub Central is impacted. The Hub Central component exists only on DHS versions >= 3.0. For customers using Hub Central in DHS wishing to update dependencies or versions once the new version is available, please contact MarkLogic Support assigned to the attention of the Cloud Services team.
  • mlcmd is not affected.
  • Sumo Logic is not affected. Sumo Logic Support validated that it is not vulnerable to known exploitable CVE-2022-22965 methods. The Sumo Logic collector also is not vulnerable to known Spring Cloud framework exploitation methods. Out of an abundance of caution, Sumo Logic will be updating its Sumo Logic Service; no action is required on your part, however. 

1.5. Marklogic-supported client libraries, tools

1.5.1. Un-Impacted versions  

S.No.

Component

Comments 
1. XCC No action is needed at this time. All systems have been thoroughly scanned and patched with the recommended fixes wherever needed. 
2. MLCP No action is needed at this time. All systems have been thoroughly scanned and patched with the recommended fixes wherever needed. 
3, mlcmd  MLCMD uses XMLSH and it is not effected by this vulnerability. 

1.5.2. Impacted versions (Scroll down the table

S.No.

Component

Comments
1. Java Client Util ml-javaclient-util-4.3.1 is now available on github, maven central. Download link is here.
2. ml-gradle/ml-app-deployer

ml-gradle-4.3.4 is now available on github. Download link is here.

ml-app-deployer-4.3.3 is now available on github, maven central. Download link is here
3. Data Hub Framework DHF 5.7.1 is now available . Download link for Github and Maven Central are available .
4. Data Hub Client Jar Data Hub Client Jar.  Download link for Github are available . 
5. Data Hub Central Data Hub Central 5.7.1 is now available. Downlink link Download link for Github and Maven Central are available .
6. Data Hub Central Community DHCCE 5.7.1 is now available on github  
7. Apache Spark Connector Spark connector 1.0.1 is now available at - https://developer.marklogic.com/products/spark/  
8. AWS Glue Connector

Glue connector 1.0.1 is now available at - https://aws.amazon.com/marketplace/pp/prodview-ws7nrqwwj3qec 

Please find the documentation here - https://docs.marklogic.com/cloudservices/aws/release-notes/release-notes-aws-dhs-tools.html
9. Pega Connector Upgrade to ml-gradle 4.3.4    

1.6. MarkLogic Open Source and Community-owned projects

1.6.1. Un-Impacted versions

S.No

Community Libraries

Comments
1. MuleSoft Connector  MuleSoft applications do not run in Tomcat containers or get packaged as WARs, the affected Spring versions are not vulnerable.The current MuleSoft Connector does not fall into the prerequisites, even though it does have a dependency on ml-javaclient-util, which appears to have Spring Framework llbraries that are affected. Although, ml-javaclient-util Spring dependencies should be updated
2. ml-javaclient-util Affected Spring versions in the dependencies for 4.2.0 and the latest 4.3.0, but should be safe as-is unless bundled into a Tomcat/Spring app. Although,, ml-javaclient-util Spring dependencies should be updated

1.6.2. Impacted versions  - 

Details will be updated here if any are identified..

MarkLogic is dedicated to supporting our customers, partners, and developer community to ensure their safety. If you have a registered support account, feel free to contact support@marklogic.com with any additional questions.

1.6.2. Impacted versions  - 

Details will be updated here if any are identified..

1.7. Contact and Links

MarkLogic is dedicated to supporting our customers, partners, and developer community to ensure their safety. If you have a registered support account, feel free to contact support@marklogic.com with any additional questions.
(7 vote(s))
Helpful
Not helpful
Comments (0)