Spring4Shell Vulnerability

Aaron_Kiemele
Contributor
Contributor

SpringShell: Spring Core RCE 0-day Vulnerability

UPDATE: 4/2

Thank you for your patience as we continued to monitor and work through the Spring Framework vulnerability. Jamf Pro 10.37.2, which includes the patched version of the spring framework, is now generally available and should completely mitigate the issue.
 
For additional information in this release please read full release notes here.
 
Cloud customers will be patched automatically. The schedule for server updates can be found here
  
For our on premises customers, 10.37.2 and 10.36.4 are both available to mitigate this vulnerability. Further information can be found in release notes. 

Details of this vulnerability, along with a CVE, have now been published. We are actively investigating any impact resulting from this vulnerability across all of our products, and we will update this thread with information as we learn more. 

 

UPDATE 3/31

Here are some FAQs on this vulnerability.

  • What is Spring4Shell?
    • Spring4Shell is the name given to a zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications.
  • Has a CVE been assigned to this vulnerability?
    • The CVE is CVE-2022-22965.
  • Is there a patch available for Spring4Shell?
    • As of today, March 31, Spring Framework versions 5.3.18 and 5.2.20 have been released. According to the vulnerability announcement from Spring, Spring Boot version 2.6.6 and 2.5.12 (both depend on Spring Framework 5.3.18) have been released.
  • How severe is Spring4Shell?
    • An attacker could exploit Spring4Shell by sending a specially crafted request to a vulnerable server. However, exploitation of Spring4Shell requires certain prerequisites.
    • According to Spring, the following requirements were included in the vulnerability report, but this may not be a complete list of requirements:
    • Java Development Kit (JDK) 9 or greater
    • Apache Tomcat as the Servlet container
    • Packaged as a WAR
    • spring-webmvc or spring-webflux dependency
  • What versions of Spring Core Framework are affected?
    • As of March 31, Spring versions 5.3.18 and 5.2.20 have been released to address CVE-2022-22965. 
    • Affected VMware Products and Versions
    • Severity is critical unless otherwise noted.
    • Spring Framework
      • 5.3.0 to 5.3.17
      • 5.2.0 to 5.2.19
      • Older, unsupported versions are also affected
  • Are any Jamf products impacted by this vulnerability?
    • We are actively investigating any impact this vulnerability poses to all Jamf products. 
  • Is there any action a Jamf customer should be taking to secure their Jamf environment?
    • Not at this time

We will update this post with additional information as soon as we have it.

Aaron Kiemele

CISO, Jamf

16 REPLIES 16

CrawfordRobson
New Contributor III

Hi,

Thanks Aaron  found a lot of springframeworks in the Jamf Pro (Cloud) instance server logs (example below) how quickly will this be patched out?

 

webmvc-5.3.11.jar:5.3.11]
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963) ~[spring-webmvc-5.3.11.jar:5.3.11]

CrawfordRobson
New Contributor III

Do we know if any other Jamf Product are affected by CVE-2022-22965?

TeamOC
New Contributor II

Are previous (ex: <10.37.0) versions not affected, and that is the reason the update is being held off? Or is it because the fix will be available very soon and JAMF is avoiding having to update all their cloud servers twice within a very short period?

Discher
New Contributor III

Can we update to Tomcat 8.5.78 to close the attack vector?

Aaron_Kiemele
Contributor
Contributor
We still have yet to verify any exploitable path to our customers, regardless of what Jamf products they use. Our team is working around the clock investigating this reported vulnerability, and we will continue to update you as soon as we learn more. 
 
Regardless, we plan to reschedule the 10.37.1 upgrade that includes the patched spring libraries as soon as possible, including potentially over the weekend. We will alert you via email and through Jamf Nation when that upgrade is scheduled. 
 
Thank you,
Aaron
CISO, Jamf

ncats_lab
New Contributor III

I'd like to second what @Discher asked - how may we patch Tomcat ourselves?

I've asked this before, and Jamf has been mute - but they constantly put out new patches for Jamf Pro with outdated Tomcat versions (10.37.0 came with an old version). We need a method of updating Tomcat to the latest Tomcat 8 version without waiting on Jamf

bentoms
Honored Contributor III
Honored Contributor III

@ncats_lab if you use the manual installer.. you then manage tomcat etc yourself.

..and, AFAIK.. this vuln isn't Tomcat.. but a framework used within Jamf Pro's .war

ncats_lab
New Contributor III

It can be mitigated by upgrading Tomcat:

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

"

Suggested Workarounds

If you’re able to upgrade to Spring Framework 5.3.18 and 5.2.20, no workarounds are necessary. Downgrading to Java 8 provides a viable workaround, which may be a quick and simple thing to do as a tactical solution, until you can upgrade to a supported Spring Framework version.

For older, unsupported Spring Framework versions, upgrading to Apache Tomcat 10.0.20, 9.0.62, or 8.5.78 provides protection against the reported attack vector. However, applying the workarounds described next is still a good step to prevent any other possible attack vectors."

 

Also, we use the tarbal from Jamf to upgrade Jamf (with a .run) . We shouldn't have to do this manually each time in order to replace Tomcat

ncats_lab
New Contributor III

Also, of note - there is documentation for manually upgrading Jamf Pro on Windows, but not for Linux - the only option provided is upgrading with the installer. 

https://docs.jamf.com/10.37.0/jamf-pro/install-guide-linux/Upgrading_Jamf_Pro_Using_the_Installer_on...

bentoms
Honored Contributor III
Honored Contributor III

@ncats_lab we use the manual installer for our ubuntu kubernetes jamf pro pods.

Basically.. install java.. tomcat.. drop the .war into the web apps directory of tomcat... start tomcat..

In this scenario, mysql is elsewhere.

ncats_lab
New Contributor III

Thank you @bentoms . Unfortunately, this is going to take some more detailed work. 

I tried to manually upgrade, but it reported that web.xml was corrupted. I replaced the new web.xml from the upgraded Tomcat with the original, so I am assuming that there was some change that I am not aware of. But I'm going to try to troubleshoot stuff when I have time. 

Thanks again - hopefully, Jamf will provide updated documentation for manual upgrades on Linux.

 

Aaron_Kiemele
Contributor
Contributor
Thank you for your patience as we continued to monitor and work through the Spring Framework vulnerability. Jamf Pro 10.37.2, which includes the patched version of the spring framework, is now generally available and should completely mitigate the issue.
 
For additional information in this release please read full release notes here.
 
Cloud customers will be patched automatically. The schedule for server updates can be found here
  
For our on premises customers, 10.37.2 and 10.36.4 are both available to mitigate this vulnerability. Further information can be found in release notes. 
 
Thank you,
Aaron Kiemele
CISO, Jamf

We are still running 10.35. There's no published evidence from you that Jamf Pro is affected by this vulnerability, but for peace of mind, it would be good if you tell us if there's a way to manually patch the Spring framework (as there was with the log4j libraries).

mschroder
Valued Contributor

Due to the mysql dependencies we are still with 10.34.2, so is there anything we can do to mitigate the vulnerability, or do we have to try an emergency update of the mysql version?

dpratl
Contributor II

As @TeamOC asked (but I was not able to find the answer, if there is any already, sorry ;)):

Are versions <10.36.x also affected? I was not able to find a hint for that.

Thank you

BR
Daniel

Aaron_Kiemele
Contributor
Contributor

Versions prior to 10.36 do contain the vulnerable Spring component. We do not recommend manual upgrades as it is more complex than a direct update of the impacted component, and may cause instability or future update issues. While we did not see a clean path to direct exploitation within Jamf products in the short time since this vulnerability was identified, we recommend everyone update to 10.36.4 or 10.37.2

 

Aaron Kiemele
CISO, Jamf