Description

The following SER software components are potentially affected by Spring4shell:

1. Doxis4 Storage Service
2. Doxis4 mobileCube Gateway Service

These services are affected ONLY IF ALL of the following conditions meet:

1. the system is deployed in a tomcat
2. the system is deployed using java 11 (java 8 is not affected)
3. tomcat used for deployment is older than 8.5.78 (in case of tomcat 8) or 9.0.62 (in case of tomcat 9)

As a fast mitigation we recommend to update Apache Tomcat to 8.5.78 (in case of tomcat 8) or 9.0.62 (in case of tomcat 9)

Please note that there are further software components which include the Spring framework but which are not affected by the vulnerability.
Nevertheless, the Spring framework will be updated in all components with the next patches to 5.3.18+ or 5.2.20+ of course.

Update as of 04/19/2022:

Contrary to initial assumptions, the Doxis4 CMIS connector is not affected!

The patch for Storage Service is available with Doxis4 CSB V4.02p1.

Hotfix 4.2p1.1 is available for mobileCube Gateway.

[APA, 20.04.2022 07:59]

Related links

Official Spring blog:

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Official CVE

https://tanzu.vmware.com/security/cve-2022-22965

Security Scanner