All, A new spring-framework RCE [1] and CVEs [2][3] have been announced, aka, Spring4Shell. The origin appears to be tracked to VMware products [2][3] and spring-framework has published new releases v5.3.18 and v5.2.20 [1] as mitigation.
CloudStack isn't deployed as a war and doesn't use Tomcat as the servlet container (it uses embedded Jetty and deployed as a uber-jar), further doesn't use spring-webmvc or spring-webflux directly per my investigation. Therefore, CloudStack is not affected [1] by Spring4Shell RCE and the CVEs. However, as part of our routine maintenance and release effort, we have merged a pull request towards the next 4.17 LTS release (4.17.0.0 milestone) that upgrades our spring-framework dependency to the latest 5.3.18 version: https://github.com/apache/cloudstack/pull/6250/files [1] https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963 [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965 Regards.
