Spring4Shell Vulnerability - CVE-2022-22965 #5123

fraser-nds · 2022-04-01T10:13:29Z

fraser-nds
Apr 1, 2022

Recently noticed a software vulnerability that affects JAVA applications. Known as Spring4Shell it's been in the news recently:
https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
https://www.computerweekly.com/news/252515360/Spring4Shell-zero-day-sprung-on-security-teams
https://tanzu.vmware.com/security/cve-2022-22965

As Mirth Connect is a JAVA application, wondering if anyone has insight into whether it's affected. I've done some initial investigation and couldn't find any direct references to the Spring framework, but finding it hard to rule out it's use.

Wondering if anyone with more experience in the codebase than me can comment?

Many Thanks,
Fraser

Answered by jonbartels

Apr 1, 2022

You found the correct solution. MC does not use Spring. https://github.com/nextgenhealthcare/connect/search?q=spring&type=code

View full answer

jonbartels · 2022-04-01T17:24:50Z

jonbartels
Apr 1, 2022

You found the correct solution. MC does not use Spring. https://github.com/nextgenhealthcare/connect/search?q=spring&type=code

0 replies

discofris · 2022-04-11T13:04:29Z

discofris
Apr 11, 2022

Also, MC uses Jetty as the container servlet.
CVE-2022-22965 only affects Tomcat.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Spring4Shell Vulnerability - CVE-2022-22965 #5123

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments

{{title}}

{{title}}

Select a reply

Spring4Shell Vulnerability - CVE-2022-22965 #5123

fraser-nds Apr 1, 2022

Replies: 2 comments

jonbartels Apr 1, 2022

discofris Apr 11, 2022

fraser-nds
Apr 1, 2022

jonbartels
Apr 1, 2022

discofris
Apr 11, 2022