Salesforce is investigating impact of Spring4Shell vulnerabilities on Salesforce Products.
1. What are Spring4Shell Java RCE ‘0-day’ vulnerabilities?
Two serious vulnerabilities leading to remote code execution (RCE) have been found in the popular Spring frameworks Spring Core and Spring Cloud Functions. You can find additional details about these vulnerabilities below:
- CVE-2022-22963: As per National Vulnerability Database – In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
- CVE 2022-22965: As per National Vulnerability Database – A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
2. Who is impacted?
Anyone using Spring on Java 9 or newer.
3. Are any Salesforce products impacted?
Salesforce has posted message on the trust site that it is investigating the issue.
You can view the Salesforce Spring4Shell message here!
4. Update April 8, 2022