CVE-2022-22965 (Spring RCE / Spring Shell)

Is OpenSpecimen vulnerable to CVE-2022-22965 (Spring RCE) exploit?

Based on the information available at the moment (2022/04/01 10:00 AM IST), our analysis suggests the answer is - No.

One or more conditions required for exploiting the vulnerability are not satisfied -

1. The exploit requires the application to use Java 9+ runtime environment. The exploit uses Java modules, which were introduced in Java 9, to access class loaders. All OpenSpecimen installations that we support use Java 8 runtime environment, which lacks the modules feature.

2. The exploit also requires the application to use Spring framework’s DataBinder to deserialise the form data containing name=value pairs into POJOs. OpenSpecimen uses JSON format for exchange of data, which does not use DataBinder.

Therefore OpenSpecimen is not vulnerable to this exploit.

Upgrade to Spring 5x

We’ve a plans to upgrade to Spring 5x, get rid of dependency on Tomcat, and run OpenSpecimen as a standalone process. The idea is to complete this upgrade by end of CY 2022. However, this plan could be impacted by unforeseen events that are not in our control.

Mitigation

In spite of not suffering from this vulnerability, out of an abundance of caution, we plan to prevent WebDataBinder from processing the risky names containing the class keywords - class.*, Class.*, *.class.*, *.Class.* etc. This fix will be available in OpenSpecimen v9.0