DevOps Automation

DevOps Automation

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

UrbanCode Deploy and Spring4Shell (CVE-2022-22965)

By Osman Burucu posted Tue May 03, 2022 06:56 AM

  

Spring4Shell


At the end of 2021 the IT world was rattled with a hidden and critical vulnerability in the LOG4J module. A few months later another very popular and highly used module SPRING framework is also affected (CVE-2022-22965).

Spring is affected when a JDK higher than 9, Apache Tomcat and traditional WAR packaging is used. Affected Versions are 5.3.17 and older.

IBM UrbanCode Deploy (now IBM DevOps Deploy) uses JDK 11, runs on Apache Tomcat as traditional WAR package. So a detailed check was made and the results are very promising.

IBM UrbanCode Deploy


If you are on >= 7.2.0.0, then IBM UCD does not package spring library with these versions and hence not vulnerable.
If you are on < 7.2.0.0, then we do use spring library in the product, but the way we use it, it is not exploitable via this CVE. Hence IBM UrbanCode Deploy is not vulnerable for this CVE

Technical explanation


The vulnerable Spring library we shipped before 7.2.0.0 is exclusively used to statically configure the JMS broker at system startup from a config file stored on disk. Once startup is complete, is is never accessed again. This was verified by a search of the ActiveMQ source code for references to Spring classes, of which there were none outside the configuration module. We then confirmed there are no dynamic uses of the Spring library by tracing accesses to it at runtime while exercising the application, which showed no accesses.
#UrbanCodeDeploy

0 comments
10 views

Permalink

https://community.ibm.com/community/user/blogs/osman-burucu/2022/05/03/urbancode-deploy-and-spring4shell-cve-2022-22965