[Geoserver-devel] [JIRA] (GEOS-10441) 'SpringShell' vulnerability (CVE-2022-22965)

Fri, 01 Apr 2022 02:17:57 -0700 

Riccardo Sirchia ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A1b262032-473e-485b-a554-da05a6fa6140
 ) *created* an issue

GeoServer ( 
https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiNTZmZmZmNzE1ZTQ0NDhiOWIxOGMxMzI5NTc0NzRlYjAiLCJwIjoiaiJ9
 ) / Bug ( 
https://osgeo-org.atlassian.net/browse/GEOS-10441?atlOrigin=eyJpIjoiNTZmZmZmNzE1ZTQ0NDhiOWIxOGMxMzI5NTc0NzRlYjAiLCJwIjoiaiJ9
 ) GEOS-10441 ( 
https://osgeo-org.atlassian.net/browse/GEOS-10441?atlOrigin=eyJpIjoiNTZmZmZmNzE1ZTQ0NDhiOWIxOGMxMzI5NTc0NzRlYjAiLCJwIjoiaiJ9
 ) 'SpringShell' vulnerability (CVE-2022-22965) ( 
https://osgeo-org.atlassian.net/browse/GEOS-10441?atlOrigin=eyJpIjoiNTZmZmZmNzE1ZTQ0NDhiOWIxOGMxMzI5NTc0NzRlYjAiLCJwIjoiaiJ9
 )

Issue Type: Bug Assignee: Unassigned Created: 01/Apr/22 11:17 AM Priority: 
Medium Reporter: Riccardo Sirchia ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A1b262032-473e-485b-a554-da05a6fa6140
 )

A new vulnerability has been identified in Spring-Framework, exploit allows for 
Remote Code Execution.

Spring-Framwork versions *5.3.17, 5.2.19* and older are vulnerable.

Information on the internet is currently being updated. Some background 
information:

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

https://blog.sonatype.com/new-0-day-spring-framework-vulnerability-confirmed

Proposed mitigation: Update to *5.3.18* (or optionally *5.2.20* ) or higher.

( 
https://osgeo-org.atlassian.net/browse/GEOS-10441#add-comment?atlOrigin=eyJpIjoiNTZmZmZmNzE1ZTQ0NDhiOWIxOGMxMzI5NTc0NzRlYjAiLCJwIjoiaiJ9
 ) Add Comment ( 
https://osgeo-org.atlassian.net/browse/GEOS-10441#add-comment?atlOrigin=eyJpIjoiNTZmZmZmNzE1ZTQ0NDhiOWIxOGMxMzI5NTc0NzRlYjAiLCJwIjoiaiJ9
 )

Get Jira notifications on your phone! Download the Jira Cloud app for Android ( 
https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail
 ) or iOS ( 
https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8
 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100197- 
sha1:666e164 )
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel














    











					Reply via email to