Got feedback or spotted a mistake?

Leave a comment at the end of this page or email contact@krishagni.com

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

Is OpenSpecimen vulnerable to CVE-2022-22965 (Spring RCE) exploit?

Based on our analysis using the information available at the moment (2022/04/01 10:00 AM IST), the answer is No.

One or more conditions required for exploiting the vulnerability are not satisfied -

  1. The exploit requires the application to use Java 9+ runtime environment. The exploit uses Java modules, which were introduced in Java 9, to access class loaders. All OpenSpecimen installations that we support use Java 8 runtime environment, which lacks the modules feature.

  2. The exploit also requires the application to use Spring framework’s DataBinder to deserialise the form data containing name=value pairs into POJOs. OpenSpecimen uses JSON format for exchange of data, which does not use DataBinder.

Therefore OpenSpecimen is not vulnerable to this exploit.

Upgrade to Spring 5x

We’ve a plans to upgrade to Spring 5x, get rid of dependency on Tomcat, and run OpenSpecimen as a standalone process. The idea is to complete this upgrade by end of CY 2022. However, this plan could be impacted by unforeseen events that are not in our control.

Mitigation

In spite of not suffering from this vulnerability, out of an abundance of caution, we plan to prevent WebDataBinder from processing the risky names containing the class keywords - class.*, Class.*, *.class.*, *.Class.* etc. This fix will be available in OpenSpecimen v9.0

  • No labels
Got feedback or spotted a mistake?

Leave a comment at the end of this page or email contact@krishagni.com