Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Spring4Shell Security Vulnerabilities - On Premises Customers

    Overview:

    On April 01, 2022, two critical remote code execution (RCE) vulnerabilities (CVE-2022-22965 and CVE-2022-22963) were disclosed in Spring frameworks, a comprehensive programming and configuration model for modern Java-based enterprise applications.

    The vulnerabilities affected the Spring Core and Spring Cloud Functions.

    By exploiting these remote code execution vulnerabilities, an attacker can bypass access controls and download and subsequently execute a malicious payload.

    References:

    Primo on premises customers with Primo versions February 2021 onwards may be vulnerable to this threat and are advised to upgrade to the Primo February 2022 version and then perform the following instructions to upgrade to Tomcat version 9.0.62.

    Upgrade to Tomcat Version 9.0.62

    This procedure upgrades Tomcat to version 9.0.62 for Primo.

    Before you upgrade, ensure that you are using the Primo February 2022 version.

    Download and unzip apache-tomcat-9.0.62

    As the primo user, enter the following commands:

    cd $primo_dev/tmp

    curl -O https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62.tar.gz

    mkdir apache-tomcat-9.0.62

    tar -xvf apache-tomcat-9.0.62.tar.gz -C apache-tomcat-9.0.62

    Deploy tomcat and copy custom changes BO (AIO or BO server)

    As the primo user, enter the following commands:

    be_stop            

    be_web ; cd ../../../

    mv publish publishOrig

    cp -r $primo_dev/tmp/apache-tomcat-9.0.62/apache-tomcat-9.0.62 .

    mv apache-tomcat-9.0.62 publish

    cp publishOrig/bin/setenv.bat publishOrig/bin/setenv.sh publish/bin

    cd publish/conf

    cp -r ../../publishOrig/conf/* .

    cd -

    cd  publish/webapps

    rm -rf docs examples host-manager manager

    cp -r ../../publishOrig/webapps/* .

    cd -

    be_start

    Deploy tomcat and copy custom changes FE (AIO or FE Server)

    If this is not an AIO server, you must run the Download and unzip apache-tomcat-9.0.62 procedure for this server first.

    As the primo user, enter the following commands:

    fe_stop

    fe_web ; cd ../../../

    mv search searchOrig

    cp -r $primo_dev/tmp/apache-tomcat-9.0.62/apache-tomcat-9.0.62  .

    mv apache-tomcat-9.0.62 search

    cp searchOrig/bin/setenv.bat searchOrig/bin/setenv.sh search/bin

    cd search/conf

    cp -r ../../searchOrig/conf/* .

    cd -

    cd searchOrig/lib

    cp activemq-all-5.7.0.jar commons-beanutils-1.7.0.jar commons-beanutils-core-1.8.0.jar commons-collections-3.2.1.jar commons-configuration-1.6.jar commons-digester-1.8.jar commons-lang-2.4.jar commons-logging-1.1.1.jar ecj-4.4.2.jar exlibris-jasypt-encryption-1.0.3.jar icu4j-3.8.1.jar jasypt-1.9.0.jar ojdbc8-12.2.0.1.jar tomcat7-websocket.jar ../../search/lib/

    cd -

    cd  search/webapps

    rm -rf docs examples host-manager manager

    cp -r ../../searchOrig/webapps/* .

    cd -

    fe_start

     

    • Was this article helpful?