Spring Remote Code Execution (RCE) Vulnerability - ("Spring4Shell")

Camunda is aware of the vulnerability that is often referred to as “Spring4Shell” and described here.

If you are reading this from the forum banner, navigate here for the full post.

TL;DR:

  • As of now, we were not able to identify a possible exploit of this vulnerability in Camunda Platform 7 (including Optimize and Cawemo) as well as Camunda Cloud (including Zeebe, Operate, Tasklist, IAM and Web Modeler).*

  • Users are advised to check their own custom applications against this announcement.

Specific information by Camunda Module / Product:

Automation Platform 7

Camunda Engine, Cockpit, Tasklist v7.x

  • As of now, we have not been able to identify a possible exploit of this vulnerability in Camunda Automation Platform 7

  • Camunda uses spring-webmvc in a few modules, however, our current understanding is that we do not meet the requirements for the vulnerability to be exploited

  • Users who embed Camunda in a custom spring based application, should double-check their setup against this announcement.

Nevertheless, we plan on updating Spring and Spring Boot with the 7.17/7.16/7.15 patches end of April and the 7.18 alpha on 10th of May:

https://jira.camunda.com/browse/CAM-14516

Optimize

  • As of now, we were not able to identify a possible exploit of this vulnerability in Optimize.

  • The prerequisites listed in Spring Framework RCE, Early Announcement include using Apache Tomcat as the servlet container, being packaged as a traditional WAR, and using either the spring-webmvc or spring-webflux dependencies. Optimize does not meet any of these criteria.

Nevertheless, Optimize has updated its Spring version to 5.2.19, as well as its other Spring dependencies. These will be included in the forthcoming 3.8.0 release on April 12. Given that we don’t consider Optimize to be vulnerable to attack, we will not proactively provide a patch for the 3.7.x release. We will reevaluate that if the situation changes.

Cawemo & Web Modeler

  • As of now, we were not able to identify a possible exploit of this vulnerability in Cawemo and Web Modeler via the particular exploit described in the official blog post.

  • At least two of the prerequisites do not apply neither to Cawemo Saas/On-Premises nor to Web Modeler: “Apache Tomcat as the Servlet container” and “Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)” (Cawemo/Web Modeler are packaged as an executable jar with an embedded Undertow).

Nevertheless, we updated both products to Spring Boot 2.6.6 (which includes a fix for the CVE) on Fri, April 1 2022. The update to Spring Boot 2.6.6 will also be included in the upcoming 1.9.2 patch release of Cawemo On-Premises (which is scheduled for April 7).

Camunda Cloud

3 Likes