All, Thanks to Ivet, we have an advisory published here now: https://blogs.apache.org/cloudstack/entry/cloudstack-advisory-on-spring4shell-cve
Regards. ________________________________ From: Rohit Yadav <rohit.ya...@shapeblue.com> Sent: Wednesday, April 13, 2022 22:06 To: dev@cloudstack.apache.org <dev@cloudstack.apache.org>; us...@cloudstack.apache.org <us...@cloudstack.apache.org> Subject: [SHARE] CloudStack and Spring4Shell All, A new spring-framework RCE [1] and CVEs [2][3] have been announced, aka, Spring4Shell. The origin appears to be tracked to VMware products [2][3] and spring-framework has published new releases v5.3.18 and v5.2.20 [1] as mitigation. CloudStack isn't deployed as a war and doesn't use Tomcat as the servlet container (it uses embedded Jetty and deployed as a uber-jar), further doesn't use spring-webmvc or spring-webflux directly per my investigation. Therefore, CloudStack is not affected [1] by Spring4Shell RCE and the CVEs. However, as part of our routine maintenance and release effort, we have merged a pull request towards the next 4.17 LTS release (4.17.0.0 milestone) that upgrades our spring-framework dependency to the latest 5.3.18 version: https://github.com/apache/cloudstack/pull/6250/files [1] https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963 [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965 Regards.
