Version française

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding

Objectif Lune has run an audit of its own software products to determine if they are vulnerable to this attack. We are pleased to report that none of our current or legacy products are exposed to the attack.

More specifically:

• The vulnerability is found in the spring-webmvc or spring-webflux dependencies.
  Neither of these modules is used by current or legacy Objectif Lune applications.
• The vulnerability requires the application to run on Tomcat deployed as a WAR file.
  OL Connect doesn’t use Tomcat, it uses Jetty, packaged as a Spring Boot executable.
• All criteria listed in the RCE’s description (CVE-2022-22965) must be met for an application to be vulnerable.
  Objectif Lune applications meet only one or two of those criteria. They can therefore not be targeted by this vulnerability.

Note that some auditing applications may still report OL Connect as a false positive for this vulnerability because the version of the Spring Framework used in OL Connect is listed as potentially vulnerable, even though the modules concerned are unused.

Updating the Spring Framework in OL Connect would require a fair amount of retesting that would have a significant impact on the upcoming release of OL Connect 2022.1, which is currently in pre-release mode. We have therefore elected to go ahead with the release as planned and we will start working immediately on eliminating those false positive reports in the following release, 2022.2.