Expand my Community achievements bar.

SOLVED

spring4shell vulnerability

Avatar

Level 1

Hello Experts,

I am new to AEM and would like to know if this new vulnerability spring4shell can affect our system/servers.

There's no public-facing component of AEM. The content from AEM is "copied" over HTTP to the 2 IIS web servers in the DMZ.

We had fixed log4shell issue few months back. But, I am not sure about spring4shell is affecting AEM servers.

Can anyone provide inputs on this issue.

 

Thanks!

1 Accepted Solution

Avatar

Correct answer by
Administrator

We are aware of the two vulnerabilities and available patches (C VE-2022-22965, C VE-2022-22963). We are patching within our standard vulnerability patching policies. Please reach out to Support for the update.

 



Kautuk Sahni

View solution in original post

7 Replies

Avatar

Community Advisor

@HrdRck 

1.Any application is using Spring on Java 9 or newer, especially TomCat servers are impacted  (Java 8 does not appear to be vulnerable)
2.Recommend upgrading your software to Spring Framework 5.3.18.
3.Check the version under bundles console if you are using that functionality.

 

Regards,

Raja

Avatar

Level 1

Hello, 

 

AEM includes the bundle Adobe CQ DAM Scene7 Dynamic Imaging (com.adobe.cq.dam.cq-scene7-imaging) with spring-webmvc-5.2.3.RELEASE as an embeded dependency. 

 

I didn't yet find any relevant answer if an AEM instance running on java 11 is impacted or not to CVE-2022-22965 

 

Regards

 

Avatar

Level 1

@Raja-kp does Adobe have any available patches or communications regarding the bundle Adobe CQ DAM Scene7 Dynamic Imaging (com.adobe.cq.dam.cq-scene7-imaging) mentioned by @abdellah

Avatar

Level 1

Our AEM instance is running on Java 8. Do you know if that is impacted?

 

Although I see spring-webmvc-3.2.17.RELEASE.jar within Adobe CQ DAM Scene7 Dynamic Imaging (com.adobe.cq.dam.cq-scene7-imaging) bundle. That bundle is active with 1.3.58 version.

Avatar

Community Advisor

@kautuk_sahni Would you please help if there is any patch coming out to fix this issue. This has been reported as a vulnerability from our security team also. A fix is highly requested. 

Avatar

Administrator

I have asked the internal experts to get back here.



Kautuk Sahni

Avatar

Correct answer by
Administrator

We are aware of the two vulnerabilities and available patches (C VE-2022-22965, C VE-2022-22963). We are patching within our standard vulnerability patching policies. Please reach out to Support for the update.

 



Kautuk Sahni