Spring4Shell security vulnerability #1340
Comments
llinggit
pushed a commit
to llinggit/java-client-api
that referenced
this issue
Apr 1, 2022
llinggit
pushed a commit
that referenced
this issue
Apr 1, 2022
|
Ran all unit tests and they ran fine. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In Java Client API, we use spring-jdbc, 5.2.7
It doesn’t meet the prerequisites listed in CVE-2022-22965
These are the prerequisites for the exploit:
JDK 9 or higher
Apache Tomcat as the Servlet container
Packaged as WAR
spring-webmvc or spring-webflux dependency
However, it has dependencies on spring-core and spring-beans, which are marked as vulnerable in maven central.
The newest version of spring-jdbc 5.3.18 in maven repository has the patch. We better upgrade it to 5.3.18 anyway.
https://help.marklogic.com/Knowledgebase/Article/View/spring4shell-cve-2022-22965-spring-framework-rce-via-data-binding-on-jdk-9
https://tanzu.vmware.com/security/cve-2022-22965
https://wiki.marklogic.com/display/ENGINEERING/Spring4Shell+Vulnerability
So we can address your issue, please include the following:
Version of MarkLogic Java Client API
See Readme.txt
Version of MarkLogic Server
See admin gui on port 8001 or run xdmp:version() in Query Console - port 8000)
Java version
Run
java -versionOS and version
For MAC, run
sw_vers.For Windows, run
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"For Linux, run
cat /etc/os-releaseanduname -rInput: Some code to illustrate the problem, preferably in a state that can be independently reproduced on our end
Actual output: What did you observe? What errors did you see? Can you attach the logs? (Java logs, MarkLogic logs)
Expected output: What specifically did you expect to happen?
Alternatives: What else have you tried, actual/expected?
The text was updated successfully, but these errors were encountered: