https://connect.hyland.com/t5/alfresco-forum/spring4shell-vulnerability/m-p/144155#M38264 <P>The Spring Frameworks vulnerabilities&nbsp;CVE-2022-22963 and&nbsp;CVE-2022-22965 requires special preconditions<BR />(see <A href="https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement" target="_blank" rel="noopener nofollow noreferrer">https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement</A>)<BR />to be exploited. To my current knowledge, a class loading mechanism in Tomcat Common Logging allows the exploitation of this "Spring4Shell" vulnerability in the first place.</P><P><BR />Until Alfresco has evaluated&nbsp;</P><DIV>CVE-2022-22963 (Spring Cloud Function)</DIV><DIV>CVE-2022-22965 (Spring MVC and Spring WebFlux)<BR /><BR />in its inernal jira MNTs and provide a HF for all its Spring Framework related products, we could react by:<BR /><BR /><STRONG>UPGRADING TOMCAT!</STRONG><BR /><BR /><P>New Tomcat versions are now available for download:<BR /><BR />Tomcat 9 (for ACS 7.0-ACS7.2):<BR /><A href="https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62.tar.gz" target="_blank" rel="noopener nofollow noreferrer">https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62.tar.gz</A><BR /><BR />Tomcat 8 (for ACS 6.0-ACS6.2):<BR /><A href="https://dlcdn.apache.org/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78.tar.gz" target="_blank" rel="noopener nofollow noreferrer">https://dlcdn.apache.org/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78.tar.gz</A></P><P>With Apache Tomcat versions 10.0.20, 9.0.62 and 8.5.78, the WebappClassLoaderBase.getResources() method has been disabled. This prevents attacks via Spring4Shell vulnerability and as far as I know secures Alfresco Content Services against this exploit.</P>More information:<BR /><A href="https://tomcat.apache.org/tomcat-10.0-doc/changelog.html#Tomcat_10.0.20_(market" target="_blank" rel="noopener nofollow noreferrer">https://tomcat.apache.org/tomcat-10.0-doc/changelog.html#Tomcat_10.0.20_(market</A>)<BR /><A href="https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.62_(remm" target="_blank" rel="noopener nofollow noreferrer">https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.62_(remm</A>)<BR /><A href="https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.78_(market" target="_blank" rel="noopener nofollow noreferrer">https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.78_(market</A>)<BR /><BR />Additionally the National Cyber Security Centrum has published&nbsp;&nbsp;a compilation on Spring4Shell,<BR /><A href="https://github.com/NCSC-NL/spring4shell" target="_blank" rel="noopener nofollow noreferrer">https://github.com/NCSC-NL/spring4shell</A><BR />with&nbsp;a list of known vulnerable and non-vulnerable software, as well as detection tools and vulnerability scanners.<BR /><BR /><SPAN>Please check your own extensions / applications (*.war) running in the same Tomcat as Alfresco Content Service for the "Spring4Shell" vulnerability!</SPAN></DIV> Mon, 04 Apr 2022 14:59:31 GMT aitseitz 2022-04-04T14:59:31Z https://connect.hyland.com/t5/alfresco-forum/spring4shell-vulnerability/m-p/144152#M38261 <P>Is this something we should worry about?</P><P><A title="Spring4Shell" href="https://venturebeat.com/2022/03/30/spring4shell-vulnerability-likely-to-affect-real-world-apps-analyst-says/" target="_self" rel="nofollow noopener noreferrer">https://venturebeat.com/2022/03/30/spring4shell-vulnerability-likely-to-affect-real-world-apps-analyst-says/</A>&nbsp;</P><P><A href="https://tanzu.vmware.com/security/cve-2022-22965" target="_self" rel="nofollow noopener noreferrer">CVE-2022-22965</A>&nbsp;</P> Fri, 01 Apr 2022 13:13:19 GMT https://connect.hyland.com/t5/alfresco-forum/spring4shell-vulnerability/m-p/144152#M38261 GerhardSA 2022-04-01T13:13:19Z https://connect.hyland.com/t5/alfresco-forum/spring4shell-vulnerability/m-p/144153#M38262 <P>We're still evaluating the impact of this vulnerability in the ACS Stack.</P> <P>It's highly unlikely that vanilla Alfresco deployment is vulnerable to this CVE, but we'll be publishing an official statement related to this topic in the next days.</P> Fri, 01 Apr 2022 13:22:45 GMT https://connect.hyland.com/t5/alfresco-forum/spring4shell-vulnerability/m-p/144153#M38262 angelborroy 2022-04-01T13:22:45Z https://connect.hyland.com/t5/alfresco-forum/spring4shell-vulnerability/m-p/144154#M38263 <P>Thank you for the quick reply. We'll be waiting for the official statement.</P> Fri, 01 Apr 2022 13:36:36 GMT https://connect.hyland.com/t5/alfresco-forum/spring4shell-vulnerability/m-p/144154#M38263 GerhardSA 2022-04-01T13:36:36Z https://connect.hyland.com/t5/alfresco-forum/spring4shell-vulnerability/m-p/144155#M38264 <P>The Spring Frameworks vulnerabilities&nbsp;CVE-2022-22963 and&nbsp;CVE-2022-22965 requires special preconditions<BR />(see <A href="https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement" target="_blank" rel="noopener nofollow noreferrer">https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement</A>)<BR />to be exploited. To my current knowledge, a class loading mechanism in Tomcat Common Logging allows the exploitation of this "Spring4Shell" vulnerability in the first place.</P><P><BR />Until Alfresco has evaluated&nbsp;</P><DIV>CVE-2022-22963 (Spring Cloud Function)</DIV><DIV>CVE-2022-22965 (Spring MVC and Spring WebFlux)<BR /><BR />in its inernal jira MNTs and provide a HF for all its Spring Framework related products, we could react by:<BR /><BR /><STRONG>UPGRADING TOMCAT!</STRONG><BR /><BR /><P>New Tomcat versions are now available for download:<BR /><BR />Tomcat 9 (for ACS 7.0-ACS7.2):<BR /><A href="https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62.tar.gz" target="_blank" rel="noopener nofollow noreferrer">https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62.tar.gz</A><BR /><BR />Tomcat 8 (for ACS 6.0-ACS6.2):<BR /><A href="https://dlcdn.apache.org/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78.tar.gz" target="_blank" rel="noopener nofollow noreferrer">https://dlcdn.apache.org/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78.tar.gz</A></P><P>With Apache Tomcat versions 10.0.20, 9.0.62 and 8.5.78, the WebappClassLoaderBase.getResources() method has been disabled. This prevents attacks via Spring4Shell vulnerability and as far as I know secures Alfresco Content Services against this exploit.</P>More information:<BR /><A href="https://tomcat.apache.org/tomcat-10.0-doc/changelog.html#Tomcat_10.0.20_(market" target="_blank" rel="noopener nofollow noreferrer">https://tomcat.apache.org/tomcat-10.0-doc/changelog.html#Tomcat_10.0.20_(market</A>)<BR /><A href="https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.62_(remm" target="_blank" rel="noopener nofollow noreferrer">https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.62_(remm</A>)<BR /><A href="https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.78_(market" target="_blank" rel="noopener nofollow noreferrer">https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.78_(market</A>)<BR /><BR />Additionally the National Cyber Security Centrum has published&nbsp;&nbsp;a compilation on Spring4Shell,<BR /><A href="https://github.com/NCSC-NL/spring4shell" target="_blank" rel="noopener nofollow noreferrer">https://github.com/NCSC-NL/spring4shell</A><BR />with&nbsp;a list of known vulnerable and non-vulnerable software, as well as detection tools and vulnerability scanners.<BR /><BR /><SPAN>Please check your own extensions / applications (*.war) running in the same Tomcat as Alfresco Content Service for the "Spring4Shell" vulnerability!</SPAN></DIV> Mon, 04 Apr 2022 14:59:31 GMT https://connect.hyland.com/t5/alfresco-forum/spring4shell-vulnerability/m-p/144155#M38264 aitseitz 2022-04-04T14:59:31Z