_posts/2022-04-14-cloudstack.markdown - infrastructure-blogs-archive - Git at Google

 ---
 layout: post
 title: CloudStack Advisory on Spring4Shell (CVE-2022-22965&nbsp;and&nbsp;CVE-2022-22963)
 date: '2022-04-14T00:00:00+00:00'
 categories: cloudstack
 ---
 <p style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;"><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;" data-preserver-spaces="true">At the beginning of April 2022, vulnerabilities in the Spring Framework for Java were publicly revealed. Many companies noticed active exploitation of the Spring4Shell vulnerability assigned as CVE-2022-22965. This vulnerability allows hackers to execute the&nbsp;</span><a class="editor-rtfLink" style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt; ; color: #4a6ee0;" href="https://en.wikipedia.org/wiki/Mirai_(malware)" target="_blank" rel="noopener"><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt; ; color: #4a6ee0;" data-preserver-spaces="true">Mirai botnet malware</span></a><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;" data-preserver-spaces="true">. The exploit allows threat actors to download the Mirai sample to the &ldquo;/tmp&rdquo; folder and execute them after changing its execute permission using &ldquo;chmod&rdquo;.</span></p>
 <p style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;"><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;" data-preserver-spaces="true">Currently, there are two vulnerabilities that allow malicious actors to achieve remote code execution (RCE) for Spring Framework -&nbsp;</span><a class="editor-rtfLink" style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt; ; color: #4a6ee0;" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965" target="_blank" rel="noopener"><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt; ; color: #4a6ee0;" data-preserver-spaces="true">CVE-2022-22965</span></a><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;" data-preserver-spaces="true">&nbsp;and&nbsp;</span><a class="editor-rtfLink" style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt; ; color: #4a6ee0;" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963" target="_blank" rel="noopener"><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt; ; color: #4a6ee0;" data-preserver-spaces="true">CVE-2022-22963</span></a><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;" data-preserver-spaces="true">. The origin appears to be tracked to VMware products and spring-framework has published new releases&nbsp;</span><a class="editor-rtfLink" style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt; ; color: #4a6ee0;" href="https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted" target="_blank" rel="noopener"><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt; ; color: #4a6ee0;" data-preserver-spaces="true">v5.3.18 and v5.2.20</span></a><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;" data-preserver-spaces="true">&nbsp;as mitigation.</span></p>
 <p style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;"><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;" data-preserver-spaces="true">CloudStack is not affected by Spring4Shell RCE and these CVEs because it isn't deployed as a WAR package and doesn't use Tomcat as the servlet container (it uses embedded Jetty and is deployed as an uber-jar). Further, it doesn't use spring-webmvc or spring-webflux dependencies.</span></p>
 <p style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;"><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;" data-preserver-spaces="true">As part of the Apache CloudStack project's routine maintenance and release efforts, a pull request towards the next 4.17 LTS release (4.17.0.0 milestone) that upgrades the spring-framework dependency to the latest v5.3.18 has been merged:</span></p>
 <p style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;"><a class="editor-rtfLink" style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt; ; color: #4a6ee0;" href="https://github.com/apache/cloudstack/pull/6250/files" target="_blank" rel="noopener"><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt; ; color: #4a6ee0;" data-preserver-spaces="true">https://github.com/apache/cloudstack/pull/6250/files</span></a></p>
	---
	layout: post
	title: CloudStack Advisory on Spring4Shell (CVE-2022-22965 and CVE-2022-22963)
	date: '2022-04-14T00:00:00+00:00'
	categories: cloudstack
	---
	<p style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;"><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;" data-preserver-spaces="true">At the beginning of April 2022, vulnerabilities in the Spring Framework for Java were publicly revealed. Many companies noticed active exploitation of the Spring4Shell vulnerability assigned as CVE-2022-22965. This vulnerability allows hackers to execute the </span><a class="editor-rtfLink" style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt; ; color: #4a6ee0;" href="https://en.wikipedia.org/wiki/Mirai_(malware)" target="_blank" rel="noopener"><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt; ; color: #4a6ee0;" data-preserver-spaces="true">Mirai botnet malware</span></a><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;" data-preserver-spaces="true">. The exploit allows threat actors to download the Mirai sample to the “/tmp” folder and execute them after changing its execute permission using “chmod”.</span></p>
	<p style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;"><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;" data-preserver-spaces="true">Currently, there are two vulnerabilities that allow malicious actors to achieve remote code execution (RCE) for Spring Framework - </span><a class="editor-rtfLink" style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt; ; color: #4a6ee0;" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965" target="_blank" rel="noopener"><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt; ; color: #4a6ee0;" data-preserver-spaces="true">CVE-2022-22965</span></a><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;" data-preserver-spaces="true"> and </span><a class="editor-rtfLink" style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt; ; color: #4a6ee0;" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963" target="_blank" rel="noopener"><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt; ; color: #4a6ee0;" data-preserver-spaces="true">CVE-2022-22963</span></a><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;" data-preserver-spaces="true">. The origin appears to be tracked to VMware products and spring-framework has published new releases </span><a class="editor-rtfLink" style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt; ; color: #4a6ee0;" href="https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted" target="_blank" rel="noopener"><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt; ; color: #4a6ee0;" data-preserver-spaces="true">v5.3.18 and v5.2.20</span></a><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;" data-preserver-spaces="true"> as mitigation.</span></p>
	<p style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;"><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;" data-preserver-spaces="true">CloudStack is not affected by Spring4Shell RCE and these CVEs because it isn't deployed as a WAR package and doesn't use Tomcat as the servlet container (it uses embedded Jetty and is deployed as an uber-jar). Further, it doesn't use spring-webmvc or spring-webflux dependencies.</span></p>
	<p style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;"><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;" data-preserver-spaces="true">As part of the Apache CloudStack project's routine maintenance and release efforts, a pull request towards the next 4.17 LTS release (4.17.0.0 milestone) that upgrades the spring-framework dependency to the latest v5.3.18 has been merged:</span></p>
	<p style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt;"><a class="editor-rtfLink" style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt; ; color: #4a6ee0;" href="https://github.com/apache/cloudstack/pull/6250/files" target="_blank" rel="noopener"><span style="color: #0e101a; background: transparent; margin-top: 0pt; margin-bottom: 0pt; ; color: #4a6ee0;" data-preserver-spaces="true">https://github.com/apache/cloudstack/pull/6250/files</span></a></p>