CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

[Philip-Wu]

Hi shinyproxy community

it might be early days, but thought i would start the conversation about whether shinyproxy is affected by this new vulnerability. Here's a link to a blog post by spring.io:
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Here's my assessment:

shinyproxy 2.6.0 is running spring-boot version 2.3.4 which is affected by the vulnerability, but we are executing as a JAR file not using tomcat. So while the vulnerability is present, the environment in which the app is executed is still considered safe based on the current knowledge (dated april 1, 2022)

Is that a fair statement?

[LEDfan]

Hi

Thanks for opening this issue, we were aware of it and started working on a fix. While we were testing the temporary mitigation, the Spring project announced that it would release fixed versions soon. Therefore, we waited for an official fix of the Spring project.

We just released ShinyProxy 2.6.1. In this release Spring Boot (and thus Spring Core) has been updated to a patched version.

Is ShinyProxy affected by this?

ShinyProxy indeed uses the Spring framework, however, we use Undertow as web-server instead of Tomcat. In addition, we don't use the DataBinder system in our code. Therefore, we believe that the current available exploits will not work on ShinyProxy. However, as pointed out by the Spring developers in their blogpost, there may be other ways to exploit the bug, which are currently not (publicly) known. Therefore we decided to release a new version of ShinyProxy.

The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Let's keep this issue open for a few days, while we monitor the developments around this issue.

[adefewings]

Download links on shinyproxi.io don't appear to point to anything at the moment?

[LEDfan]

We made the downloads available again. Thanks for the heads-up.

[nsyed4]

Hi, I am using shinyproxy-2.5.0. Am I impacted? I am using OpenDJ 1.8

[LEDfan]

Hi @nsyed4
All ShinyProxy versions contain the vulnerable library, please see the explanation above for an indication of the risk. We advice to upgrade to 2.6.1.

[Philip-Wu]

I noticed that version 2.6.1 also has the upgrade log4j-api-2.17.2.jar which addresses the log4jshell vulnberability for added peace of mind. previously i had manually patched the log4j myself, but it's nice to see this version already has this upgrade. thanks guys

[Philip-Wu]

I had some SAML issues with the new version 2.6.1,

"org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message"

but resolved it following the workaround here:

#342

Probably not related to springframe work upgrades, but more to do with my environment