cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Spring Framework RCE Vulnerability - BI Platform / Tomcat impact?

Go to solution
omacoder
Active Contributor

on ‎2022 Apr 01 5:38 PM

1,559

Spring Framework RCE, Early Announcement

Has anyone evaluated yet to see if the bundled Tomcat in the BI Platform is impacted?

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

christoph_gnodtke
Explorer
‎2022 Apr 07 1:49 PM
0 Kudos

I created a case and got the following answer:

#####

As per CVE Spring MVC or Spring WebFlux application via data binding is vulnerable in Spring 5.3.x version.

Since our usage is limited to Spring security saml api consumption and no involvement of data binding, we are safe with this vulnerability and it's false positive.

No Impact with SAP Business Objects.

--Regarding Java Spring Framework CVE-2022-22965 and CVE-2010-1622.
--Questions regarding impact of Java Spring Framework vulnerability in SAP BO and SAP BO Data services. etc

===Resolution===
Looks like this vulnerability reported is not impacting SAP BO/DS applications.

Development has reviewed and concluded that this CVE is a false positive.

Since its usage in BI Platform is limited to Spring security saml api consumption and no involvement of data binding, we are not impacted with this vulnerability.

The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

These are the prerequisites for the exploit:
JDK 9 or higher

So, As of now we don't provide JDK 9 or 9+ version bundled with the product. Looks like it is not impacting our product right now.

2914574 - Third-party software Vulnerabilities (CVE) NOT impacting SAP BusinessObjects 4.x

Show replies
Show replies
omacoder
Active Contributor
‎2022 Apr 07 5:32 PM
0 Kudos

Thank you!!!

Answers (1)

Answers (1)

denis_konovalov
Active Contributor
‎2022 Apr 01 5:51 PM

Answer in in SAP Note https://launchpad.support.sap.com/#/notes/2914574

Not vulnerable.

Show replies
Show replies
omacoder
Active Contributor
‎2022 Apr 01 7:07 PM
0 Kudos

I must be reading that note differently because the question that I asked is not answered in that note.

denis_konovalov
Active Contributor
‎2022 Apr 01 7:12 PM
0 Kudos

both CVE's associated with Spring Framework issues are listed there.

omacoder
Active Contributor
‎2022 Apr 01 7:31 PM
0 Kudos

My infrastructure team did not provide me with a CVE number -

A quick google identified it as CVE-2022-22950, which is not included in Note 2914574.

So my next question - if it is not included in the note, we can presume SAP has evaluated it and there is an impact?

denis_konovalov
Active Contributor
‎2022 Apr 01 7:51 PM
0 Kudos

this one is not published and appear to be hardly exploitable.

original ones are :

  1. Confirmed: CVE-2022-22965 "Spring4Shell" in Spring Core that has been confirmed by several sources that leverages class injection (very severe),
  2. Confirmed: CVE-2022-22963 in Spring Cloud Function (less severe),
  3. Unconfirmed: A third weakness that was initially discussed as allowing RCE via Deserialization, but isn't exploitable (not severe currently)

so, most likely CVE-2022-22950 does not affect us, same way previous 2 aren't , but it hasn't been officially validated.

omacoder
Active Contributor
‎2022 Apr 01 7:58 PM
0 Kudos

Got it!! Thank you very much for your assistance!

Ask a Question