Spring4Shell Security Vulnerabilities - On Premises Customers

Released : April 5, 2022

On April 01, 2022, two critical remote code execution (RCE) vulnerabilities (CVE-2022-22965 and CVE-2022-22963) were disclosed in Spring frameworks, a comprehensive programming and configuration model for modern Java-based enterprise applications.

The vulnerabilities affected the Spring Core and Spring Cloud Functions.

By exploiting these remote code execution vulnerabilities, an attacker can bypass access controls and download and subsequently execute a malicious payload.

References:

• https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
• https://nvd.nist.gov/vuln/detail/CVE-2022-22965

Primo on premises customers with Primo versions February 2021 onwards may be vulnerable to this threat and are advised to upgrade to the Primo February 2022 version and then perform the following instructions to upgrade to Tomcat version 9.0.62.

Page tags: article:topicproduct:primocontent:Product_Materialslang:english