Engineering has completed its review of the reported Spring Framework RCE vulnerability CVE-2022-22965, and put together the below details regarding our exposure and mitigations.
AROCS does utilize the Spring Framework in parts of the ARCOS platform. However, it DOES NOT use the affected components of Spring (where implemented), ARCOS is NOT vulnerable based on current findings of the CVE. To get in front of any further vulnerabilities ARCOS Engineering has decided to upgrade Tomcat to a non-affected version. This upgrade is expected to be completed in Production by 4/21.
Prerequisites for the Exploit
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency
- Most of the ARCOS Platform DOES NOT use the Spring framework.
- Workbench and sMART do use the Spring framework, but DO NOT use the affected components.
- ARCOS utilizes Tomcat for Advanced Reporting, Workbench, and sMART.
- Advanced Reporting Application IS affected. However, no public Internet access exists for this environment and Tomcat is being upgraded to mitigate.
- RosterApps and RAMP-UP are NOT affected as they use .NET and IIS.
- Engineering is in the process of upgrading all Tomcat installations to version 9.0.62, which does not have this vulnerability.
- ETA for QA: 4/13/2022 6 PM ET (Approx. 20 minute rolling outage for Workbench and sMART)
- ETA for PROD: 4/21/2022 22.16 Production Deployment window