All versions of our Loadbalancer.org appliances are free from these vulnerabilities as we do not use Java in the product.
It’s a busy time of year, and Spring has most definitely sprung for many. However, it has also unfortunately brought a number of Spring Framework (spring.io) vulnerabilities, published last week: CVE-2022-22963 and CVE-2022-22965 - both of which have a critical rating.
Since the announcement, we’ve been contacted by several customers asking whether or not they have been affected by these vulnerabilities. It is understandable that SysAdmins, DevOps, and most in the IT and Security Departments involved want to ensure all load balancers are fully patched and protected, given that our product plays an important role in their topology. And we would always advise our customers to seek help and ask the question if they are at all unsure.
Here is a summary of the vulnerabilites and proposed resolutions:
- CVE-2022-22963 affects Spring Cloud Function 3.1.6 and 3.2.2 (and other older, unsupported versions). On these versions, it is possible for a user to use a specifically crafted SpEL as a routing expression that may result in remote code execution and access to local resources. Users of the listed versions should upgrade to 3.1.7 or 3.2.3 to protect themselves.
- CVE-2022-22965 affects Spring Framework 5.2.0-5.2.19 or 5.3.0-5.3.17. Applications running JDK 9+ environments with Apache Tomcat, packaged as a WAR and with a dependency on the Spring MVC or WebFlux. With all of these components in place, a system may be vulnerable to remote code execution via data binding. To mitigate this potential issue, users should upgrade to Spring Framework 5.2.20+ or 5.3.18+.
As the Loadbalancer.org product range does not use Java or the Spring open source framework, we can assure our customers that we are not affected by these vulnerabilities. If you have any concerns though, please do get in touch and we’ll always be happy to help where we can.