We use Tomcat, and version Tomcat 9.0.62 is supposed to fix the spring4shell vuln. To what extent is it the case? Are we safe not to upgrade to the latest Spring version?
Asked
Active
Viewed 149 times
1
-
Related reading: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/ – Apr 08 '22 at 15:32
1 Answers
0
The guidelines from the Spring framework state that upgrading tomcat provides "adequate" protection, however it is recommended to further harden by altering disallowed fields parameters. I looked through the tomcat source and found this commit which should resolve the issue shown in the Proof of Concept (but it's possible and honestly probable that there are tangential, related attacks still available). Ultimately, it's probably safe to not upgrade, but it depends on your threat model and it's highly recommended to have the dependency itself patched as well.
belkarx
- 1,207
- 2
- 18