Spring4Shell Security Vulnerabilities - On Premises Customers
- Last updated
-
-
Save as PDF
-
Released: April 5, 2022
On April 01, 2022, two critical remote code execution (RCE) vulnerabilities (CVE-2022-22965 and CVE-2022-22963) were disclosed in Spring frameworks, a comprehensive programming and configuration model for modern Java-based enterprise applications.
The vulnerabilities affected the Spring Core and Spring Cloud Functions.
By exploiting these remote code execution vulnerabilities, an attacker can bypass access controls and download and subsequently execute a malicious payload.
References:
Primo on premises customers with Primo versions February 2021 onwards may be vulnerable to this threat and are advised to upgrade to the Primo February 2022 version and then perform the following instructions to upgrade to Tomcat version 9.0.62.
Upgrade to Tomcat Version 9.0.62
This procedure upgrades Tomcat to version 9.0.62 for Primo.
Before you upgrade, ensure that you are using the Primo February 2022 version.
Download and unzip apache-tomcat-9.0.62
As the primo user, enter the following commands:
cd $primo_dev/tmp
curl -O https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62.tar.gz
mkdir apache-tomcat-9.0.62
tar -xvf apache-tomcat-9.0.62.tar.gz -C apache-tomcat-9.0.62
Deploy tomcat and copy custom changes BO (AIO or BO server)
As the primo user, enter the following commands:
be_stop
be_web ; cd ../../../
mv publish publishOrig
cp -r $primo_dev/tmp/apache-tomcat-9.0.62/apache-tomcat-9.0.62 .
mv apache-tomcat-9.0.62 publish
cp publishOrig/bin/setenv.bat publishOrig/bin/setenv.sh publish/bin
cd publish/conf
cp -r ../../publishOrig/conf/* .
cd -
cd publish/webapps
rm -rf docs examples host-manager manager
cp -r ../../publishOrig/webapps/* .
cd -
be_start
Deploy tomcat and copy custom changes FE (AIO or FE Server)
As the primo user, enter the following commands:
fe_stop
fe_web ; cd ../../../
mv search searchOrig
cp -r $primo_dev/tmp/apache-tomcat-9.0.62/apache-tomcat-9.0.62 .
mv apache-tomcat-9.0.62 search
cp searchOrig/bin/setenv.bat searchOrig/bin/setenv.sh search/bin
cd search/conf
cp -r ../../searchOrig/conf/* .
cd -
cd searchOrig/lib
cp activemq-all-5.7.0.jar commons-beanutils-1.7.0.jar commons-beanutils-core-1.8.0.jar commons-collections-3.2.1.jar commons-configuration-1.6.jar commons-digester-1.8.jar commons-lang-2.4.jar commons-logging-1.1.1.jar ecj-4.4.2.jar exlibris-jasypt-encryption-1.0.3.jar icu4j-3.8.1.jar jasypt-1.9.0.jar ojdbc8-12.2.0.1.jar tomcat7-websocket.jar ../../search/lib/
cd -
cd search/webapps
rm -rf docs examples host-manager manager
cp -r ../../searchOrig/webapps/* .
cd -
fe_start