Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

spring4shell vulnerability

Avatar

Level 1

Hello Experts,

I am new to AEM and would like to know if this new vulnerability spring4shell can affect our system/servers.

There's no public-facing component of AEM. The content from AEM is "copied" over HTTP to the 2 IIS web servers in the DMZ.

We had fixed log4shell issue few months back. But, I am not sure about spring4shell is affecting AEM servers.

Can anyone provide inputs on this issue.

 

Thanks!

1 Accepted Solution

Avatar

Correct answer by
Administrator

We are aware of the two vulnerabilities and available patches (C VE-2022-22965, C VE-2022-22963). We are patching within our standard vulnerability patching policies. Please reach out to Support for the update.

 

View solution in original post

7 Replies

Avatar

Community Advisor

@HrdRck 

1.Any application is using Spring on Java 9 or newer, especially TomCat servers are impacted  (Java 8 does not appear to be vulnerable)
2.Recommend upgrading your software to Spring Framework 5.3.18.
3.Check the version under bundles console if you are using that functionality.

 

Regards,

Raja

Avatar

Level 1

Hello, 

 

AEM includes the bundle Adobe CQ DAM Scene7 Dynamic Imaging (com.adobe.cq.dam.cq-scene7-imaging) with spring-webmvc-5.2.3.RELEASE as an embeded dependency. 

 

I didn't yet find any relevant answer if an AEM instance running on java 11 is impacted or not to CVE-2022-22965 

 

Regards

 

Avatar

Level 1

@Raja-kp does Adobe have any available patches or communications regarding the bundle Adobe CQ DAM Scene7 Dynamic Imaging (com.adobe.cq.dam.cq-scene7-imaging) mentioned by @abdellah

Avatar

Level 1

Our AEM instance is running on Java 8. Do you know if that is impacted?

 

Although I see spring-webmvc-3.2.17.RELEASE.jar within Adobe CQ DAM Scene7 Dynamic Imaging (com.adobe.cq.dam.cq-scene7-imaging) bundle. That bundle is active with 1.3.58 version.

Avatar

Community Advisor

@kautuk_sahni Would you please help if there is any patch coming out to fix this issue. This has been reported as a vulnerability from our security team also. A fix is highly requested. 

Avatar

Correct answer by
Administrator

We are aware of the two vulnerabilities and available patches (C VE-2022-22965, C VE-2022-22963). We are patching within our standard vulnerability patching policies. Please reach out to Support for the update.