Question

Spring4Shell - CVE-2022-22965

3

https://www.helpnetsecurity.com/2022/03/31/spring4shell/ Does anyone happen to know if any modules are using the spring framework?

asked 2022-03-31

John Wenzel

2 answers

Ronald Catersels · Answer 1 · 2022-04-01

Mendix will probably also react here but the response from slack from the CISO:
Mendix Runtime doesn't use Spring, Marketplace components might use them, however 'The specific exploit requires the application to run on Tomcat as a WAR deployment.' which isn't used in Mendix Cloud

Regards,

Ronald

Edwin van Elk · Answer 2 · 2022-04-01

Don't know about the impact, but latest version of the LDAP Synchronization module from Marketplace (v.8.0.0 January 21, 2020) contains these spring*.jar files:

Ldap_v8.0.0_Mx7.23.4\userlib\spring*

spring-beans-5.2.1.RELEASE.jar
spring-beans-5.2.1.RELEASE.jar.LDAPSynchronizationModule.RequiredLib
spring-core-5.2.1.RELEASE.jar
spring-core-5.2.1.RELEASE.jar.LDAPSynchronizationModule.RequiredLib
spring-ldap-core-2.3.2.RELEASE.jar
spring-ldap-core-2.3.2.RELEASE.jar.LDAPSynchronizationModule.RequiredLib
spring-tx-5.2.1.RELEASE.jar
spring-tx-5.2.1.RELEASE.jar.LDAPSynchronizationModule.RequiredLib