spring4shell vulnerability | Community
Skip to main content
H
HrdRck
April 3, 2022
Solved

spring4shell vulnerability

  • April 3, 2022
  • 3 replies
  • 4702 views

Hello Experts,

I am new to AEM and would like to know if this new vulnerability spring4shell can affect our system/servers.

There's no public-facing component of AEM. The content from AEM is "copied" over HTTP to the 2 IIS web servers in the DMZ.

We had fixed log4shell issue few months back. But, I am not sure about spring4shell is affecting AEM servers.

Can anyone provide inputs on this issue.

 

Thanks!

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by kautuk_sahni

We are aware of the two vulnerabilities and available patches (C VE-2022-22965, C VE-2022-22963). We are patching within our standard vulnerability patching policies. Please reach out to Support for the update.

 

3 replies

Raja-Karuppsamy
Community Advisor
Raja-KaruppsamyCommunity Advisor
Community Advisor
April 4, 2022

@hrdrck 

1.Any application is using Spring on Java 9 or newer, especially TomCat servers are impacted  (Java 8 does not appear to be vulnerable)
2.Recommend upgrading your software to Spring Framework 5.3.18.
3.Check the version under bundles console if you are using that functionality.

 

Regards,

Raja

    A
    abdellah
    April 6, 2022

    Hello, 

     

    AEM includes the bundle Adobe CQ DAM Scene7 Dynamic Imaging (com.adobe.cq.dam.cq-scene7-imaging) with spring-webmvc-5.2.3.RELEASE as an embeded dependency. 

     

    I didn't yet find any relevant answer if an AEM instance running on java 11 is impacted or not to CVE-2022-22965 

     

    Regards

     

      E
      ernestwalko
      April 12, 2022

      @raja-karuppsamy does Adobe have any available patches or communications regarding the bundle Adobe CQ DAM Scene7 Dynamic Imaging (com.adobe.cq.dam.cq-scene7-imaging) mentioned by @abdellah

        kautuk_sahni
        Community Manager
        kautuk_sahniCommunity ManagerAccepted solution
        Community Manager
        April 27, 2022

        We are aware of the two vulnerabilities and available patches (C VE-2022-22965, C VE-2022-22963). We are patching within our standard vulnerability patching policies. Please reach out to Support for the update.

         

        Kautuk Sahni
        Terms & ConditionsAccessibility statement

        Loading footer...