reportportal icon indicating copy to clipboard operation
reportportal copied to clipboard

Published 20 hours ago verified publisher icon reportportal

ReportPortal and Spring4Shell CVE-2022-22965

Open HardNorth opened this issue 2 years ago • 1 comments

Creating this issue as the root to investigate and mitigate 0-day Spring4Shell vulnerability. And to avoid multiple duplicate issues created by users.

So here is the statement: Report Portal team is aware about possible Spring4Shell vulnerability in our product. We are in the process of investigation of how it might impact our product and how to resolve or mitigate the problem.

Details https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/

HardNorth avatar Mar 31 '22 10:03 HardNorth

First investigations show that there is no any option to use this against Report Portal. As per Spring itself:

These are the requirements for the specific scenario from the report:

- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

ReportPortal uses jar packaging, not war. Each Report Portal dependency (standalone or embedded) does not vulnerable too.

HardNorth avatar Mar 31 '22 13:03 HardNorth