java-client-api icon indicating copy to clipboard operation
java-client-api copied to clipboard

Published 20 hours ago verified publisher icon marklogic

Spring4Shell security vulnerability

Open llinggit opened this issue 2 years ago • 1 comments

In Java Client API, we use spring-jdbc, 5.2.7

It doesn’t meet the prerequisites listed in CVE-2022-22965

These are the prerequisites for the exploit:

JDK 9 or higher Apache Tomcat as the Servlet container Packaged as WAR spring-webmvc or spring-webflux dependency

However, it has dependencies on spring-core and spring-beans, which are marked as vulnerable in maven central.

The newest version of spring-jdbc 5.3.18 in maven repository has the patch. We better upgrade it to 5.3.18 anyway.

https://help.marklogic.com/Knowledgebase/Article/View/spring4shell-cve-2022-22965-spring-framework-rce-via-data-binding-on-jdk-9

https://tanzu.vmware.com/security/cve-2022-22965

https://wiki.marklogic.com/display/ENGINEERING/Spring4Shell+Vulnerability

So we can address your issue, please include the following:

Version of MarkLogic Java Client API

See Readme.txt

Version of MarkLogic Server

See admin gui on port 8001 or run xdmp:version() in Query Console - port 8000)

Java version

Run java -version

OS and version

For MAC, run sw_vers.
For Windows, run systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
For Linux, run cat /etc/os-release and uname -r

Input: Some code to illustrate the problem, preferably in a state that can be independently reproduced on our end

Actual output: What did you observe? What errors did you see? Can you attach the logs? (Java logs, MarkLogic logs)

Expected output: What specifically did you expect to happen?

Alternatives: What else have you tried, actual/expected?

llinggit avatar Apr 01 '22 17:04 llinggit

Ran all unit tests and they ran fine.

georgeajit avatar Apr 05 '22 04:04 georgeajit