Spring4Shell Security Vulnerabilities - On Premises Customers

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Released: April 5, 2022

On April 01, 2022, two critical remote code execution (RCE) vulnerabilities (CVE-2022-22965 and CVE-2022-22963) were disclosed in Spring frameworks, a comprehensive programming and configuration model for modern Java-based enterprise applications.

The vulnerabilities affected the Spring Core and Spring Cloud Functions.

By exploiting these remote code execution vulnerabilities, an attacker can bypass access controls and download and subsequently execute a malicious payload.

References:

Primo on premises customers with Primo versions February 2021 onwards may be vulnerable to this threat and are advised to upgrade to the Primo February 2022 version and then perform the following instructions to upgrade to Tomcat version 9.0.62.

Upgrade to Tomcat Version 9.0.62

This procedure upgrades Tomcat to version 9.0.62 for Primo.

Before you upgrade, ensure that you are using the Primo February 2022 version.

Download and unzip apache-tomcat-9.0.62

As the primo user, enter the following commands:

cd $primo_dev/tmp

curl -O https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62.tar.gz

mkdir apache-tomcat-9.0.62

tar -xvf apache-tomcat-9.0.62.tar.gz -C apache-tomcat-9.0.62

Deploy tomcat and copy custom changes BO (AIO or BO server)

As the primo user, enter the following commands:

be_stop

be_web ; cd ../../../

mv publish publishOrig

cp -r $primo_dev/tmp/apache-tomcat-9.0.62/apache-tomcat-9.0.62 .

mv apache-tomcat-9.0.62 publish

cp publishOrig/bin/setenv.bat publishOrig/bin/setenv.sh publish/bin

cd publish/conf

cp -r ../../publishOrig/conf/* .

cd -

cd publish/webapps

rm -rf docs examples host-manager manager

cp -r ../../publishOrig/webapps/* .

cd -

be_start

Deploy tomcat and copy custom changes FE (AIO or FE Server)

If this is not an AIO server, you must run the Download and unzip apache-tomcat-9.0.62 procedure for this server first.

As the primo user, enter the following commands:

fe_stop

fe_web ; cd ../../../

mv search searchOrig

cp -r $primo_dev/tmp/apache-tomcat-9.0.62/apache-tomcat-9.0.62 .

mv apache-tomcat-9.0.62 search

cp searchOrig/bin/setenv.bat searchOrig/bin/setenv.sh search/bin

cd search/conf

cp -r ../../searchOrig/conf/* .

cd -

cd searchOrig/lib

cp activemq-all-5.7.0.jar commons-beanutils-1.7.0.jar commons-beanutils-core-1.8.0.jar commons-collections-3.2.1.jar commons-configuration-1.6.jar commons-digester-1.8.jar commons-lang-2.4.jar commons-logging-1.1.1.jar ecj-4.4.2.jar exlibris-jasypt-encryption-1.0.3.jar icu4j-3.8.1.jar jasypt-1.9.0.jar ojdbc8-12.2.0.1.jar tomcat7-websocket.jar ../../search/lib/

cd -

cd search/webapps

rm -rf docs examples host-manager manager

cp -r ../../searchOrig/webapps/* .

cd -

fe_start