Unsolved
2 Posts
1
1178
April 4th, 2022 00:00
Spring4Shell - WMS
Good morning,
With the recent news of the Spring Framework vulnerability known as Spring4Shell, are Dell looking into this at all, as we have version 3.6.0.241 installed only recently to fix the Log4j vulnerabilities, but Nessus is now showing that our WMS server is vulnerable to Spring as well.
Path : C:\Program Files\DELL\WMS\Tomcat-9\webapps\wms-api\WEB-INF\lib\spring-core-5.3.14.jar
Installed version : 5.3.14
Fixed version : 5.3.18
Path : C:\Program Files\DELL\WMS\Tomcat-9\webapps\wms-api\WEB-INF\lib\reactor-spring-1.0.1.RELEASE.jar
Installed version : 1.0.1.RELEASE
Fixed version : 5.2.20
Path : C:\Program Files\DELL\WMS\Tomcat-9\webapps\ccm-web\WEB-INF\lib\spring-core-5.3.13.jar
Installed version : 5.3.13
Fixed version : 5.3.18
Thank you.
DELL-Scott H
Moderator
•
878 Posts
0
April 6th, 2022 06:00
CVE-2022-22965 | Spring4shell vulnerability will be addressed as part WMS 3.6.1.
beendon
1 Message
0
June 18th, 2022 10:00
The issue lies in the “data binding” mechanism of the Spring Framework. Whenever an external user submits a request, the Spring MVC allows associating the parameters from the submitted request URL, request header or the request’s body to any other function as arguments or treats them as Java Objects. Since the request parameters/data are externally controlled by the users it poses a security risk to pass them as parameters internally to