Recently a new vulnerability in the Java Spring framework dubbed Spring4Shell. CVE-2022-22965 has a potentially large impact as many applications use the Spring framework. Neither Lansweeper, nor its 3rd party components are vulnerable or affected.
Similar to Log4j, the Spring4Shell vulnerability concerns a Java library that can potentially be used in many applications. According to ContrasSecurity, the Spring Core Framework is used in 74% of Java applications.
Similar to Log4j the Dutch National Cyber Security Center, created a public GitHub with their collected information including the requirements for the specific vulnerable scenario, tools/scripts to scan for the specific Java Framework, and more.
A vulnerable scenario as published by Spring:
- Running on JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as a traditional WAR and deployed in a standalone Tomcat instance. Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted.
- spring-webmvc or spring-webflux dependency.
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.
Our security team has evaluated Lansweeper and all of the third-party components to verify the CVE-2022-22965. After the evaluation, we’re happy to confirm that neither Lansweeper nor its 3rd party components are vulnerable or affected by the Spring4Shell vulnerability.