Spring4Shell critical Spring vulnerability

CVE-2022-22965: Spring framework 0-day remote code execution vulnerability, aka Spring4Shell

A new Remote Code Execution vulnerability has been discovered in the Spring framework. We have determined that Skyve is not vulnerable to this attack as currently described.

The exploit requires an endpoint with DataBinder enabled (e.g. a POST request that decodes data from the request body automatically). Spring MVC and Sprint WebFlux are also vectors to this exploit.

Skyve does not use DataBinder, MVC or WebFlux.

VMWare have released a patch version (5.3.18) to address this vulnerability in the core Spring framework library. However not all Spring projects have been updated at this time.

We are aiming to release a new version of Skyve to patch to the latest version of Spring early next week. We are hopeful that in the meantime, the spring-security project will update their dependencies to this version.

Although Skyve is not affected, we will move to the latest patch release to reduce ambiguity on our susceptibility and to eliminate the attack surface (which could increase in the coming weeks).