Are there impacts to any of the DX NetOps Performance Management components due to the new Spring4Shell zeroday exploits?
Are there impacts to the DX NetOps Performance Management Portal web server due to the new Spring4Shell zeroday exploits?
Are there impacts to the DX NetOps Performance Management Data Aggregator due to the new Spring4Shell zeroday exploits?
Are there impacts to the DX NetOps Performance Management Data Repository due to the new Spring4Shell zeroday exploits?
Are there impacts to the DX NetOps Performance Management Data Collector due to the new Spring4Shell zeroday exploits?
Are there impacts to the DX NetOps Performance Management Data Aggregator Proxy host due to the new Spring4Shell zeroday exploits?
Spring4Shell: New RCE vulnerability uncovered in Java framework
A new vulnerability in the Spring Core Java framework that could allow for unauthenticated remote code execution (RCE) on vulnerable applications was publicly disclosed yesterday (March 30), before a patch was issued.
Dubbed Spring4Shell (CVE-2022-22965), proof-of-concept exploit code was leaked on GitHub shortly after its discovery. This code was swiftly removed, but not before it was downloaded by several security researchers who confirmed the vulnerability. It was also reposted on various platforms, meaning it was available to the public, including malicious actors. BleepingComputer reported that it had been told Spring4Shell was being actively exploited in attacks prior to the release of a patch for the bug.
In a blog this morning, Spring confirmed the bug and said it had been reported to it by researchers on Tuesday night (March 29). Spring has released Spring Framework 5.3.18 and 5.2.20, which it says address the vulnerability. Corresponding Spring Boot releases are in progress.
Spring Core is a popular application framework that allows software developers to quickly and easily develop Java applications with enterprise-level features. These applications can then be deployed on servers, such as Apache Tomcat, as stand-alone packages with all the required dependencies.
The bug allows an unauthenticated attacker to execute arbitrary code on a target system. There was some initial confusion about the severity of the bug, with it initially reported that all versions of Spring Core with the JDK version greater than or equal to 9.0 were vulnerable. However, researchers subsequently determined that it appears Spring Core must be configured in a certain way to be vulnerable. Spring confirmed in its CVE report that certain prerequisites were required for the bug to be exploitable.
All supported DX NetOps Performance Management releases
There is no impact for this vulnerability on DX NetOps Performance Management component systems.
The documented exploit for CVE-2022-22965 requires spring-webmvc or spring-webflux in a Tomcat servlet container running on Java 9+.
None of the DX NetOps Performance Management component systems use spring-webflux, however spring-webmvc is used in these component systems.
None of the impacted servers operate in a Tomcat servlet container.
Additionally, the spring-webmvc exploit is tied to use of the webmvc model itself. These servers do not use the model, but do rely on other components of the spring-webmvc jar. Therefore, these servers are not at risk.
Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.17+. 5.2.x users should upgrade to 5.2.20+.
DX NetOps 21.2.10 comes with Spring Framework 5.3.18.
DX NetOps 21.2.12 comes with Spring Framework 5.3.20.
Note: the above Spring Framework updates in release 21.2.10 and 21.2.12 are referred to the NetOps Portal component. Data Aggregator and Data Collector will have the Spring Framework update with the next NetOps Performance Management release.
Article Last Updated: 2022-06-20 @ 04:55 PM EDT
For additional information for the various products under NetOpos please see the Knowledge Base article Is DX NetOps affected by CVE-2022-22963 and CVE-2022-22965?