I am new to AEM and would like to know if this new vulnerability spring4shell can affect our system/servers.
There's no public-facing component of AEM. The content from AEM is "copied" over HTTP to the 2 IIS web servers in the DMZ.
We had fixed log4shell issue few months back. But, I am not sure about spring4shell is affecting AEM servers.
Can anyone provide inputs on this issue.
Solved! Go to Solution.
1.Any application is using Spring on Java 9 or newer, especially TomCat servers are impacted (Java 8 does not appear to be vulnerable)
2.Recommend upgrading your software to Spring Framework 5.3.18.
3.Check the version under bundles console if you are using that functionality.
AEM includes the bundle Adobe CQ DAM Scene7 Dynamic Imaging (com.adobe.cq.dam.cq-scene7-imaging) with spring-webmvc-5.2.3.RELEASE as an embeded dependency.
I didn't yet find any relevant answer if an AEM instance running on java 11 is impacted or not to CVE-2022-22965
Our AEM instance is running on Java 8. Do you know if that is impacted?
Although I see spring-webmvc-3.2.17.RELEASE.jar within Adobe CQ DAM Scene7 Dynamic Imaging (com.adobe.cq.dam.cq-scene7-imaging) bundle. That bundle is active with 1.3.58 version.