Security Patch - April 2022
A vulnerability has been uncovered on March 31st in the Spring Framework library, tracked under the following reference: CVE-2022-22965. The vulnerability has been dubbed Spring4Shell (or SpringShell) exploit.
You can find here and here detailed explanations of the vulnerability, its impact and level of risk.
The vulnerability is located in Spring, embedded in all versions of Jahia, in the deserialization of objects from HTTP requests. This can be exploited to access any class in the JVM when that shouldn’t be possible.
Impacted versions
Previous communication about the impacted versions may have been incomplete or not clear enough, the version below provides more details.
- All versions of Jahia (7.x or 8.x) are impacted to some extent by the vulnerability.
- The vulnerability can be exploited through Spring Web Flow (used in some Jahia backoffice interfaces, the retired formbuilder module and possibly in custom modules) and through Spring MVC.
- Customers running Jahia 8.1 and not using Spring MVC in custom modules are not impacted
- as the Spring Web Flow version used in Jahia 8.1 offers the sufficient level of protection against the vulnerability
- Customers in versions lower than 8.1 and not using Spring MVC, nor Spring Web Flow as part of custom modules, an authenticated account with access to Jahia back-office is required to exploit the vulnerability. It does not completely eliminate the risk related to the vulnerability, but severely reduces it as the attacker would need to have an account with access to the back-office of Jahia.
- Customers, in any version, using Spring MVCs data binding of request parameters to plain Java objects are exposed to the vulnerability
- Customers in versions lower than 8.1 using Spring Web Flow are exposed to the vulnerability
To check if you are using Spring Web Flow as part of your custom modules, you can use the following command line (under Linux):
find JAHIA_HOME/digital-factory-data/bundles-deployed -type f -name "*" -exec grep "spring-webflow" {} \; -print
To check if you are using Spring MVC as part of your custom modules, you can use the following command line (under Linux):
find JAHIA_HOME/digital-factory-data/bundles-deployed -type f -name "*" -exec grep "spring-webmvc" {} \; -print
- jCustomer is not affected by the vulnerability as it is not using Spring
Patches addressing the attack vectors
To address the Spring MVC attack vector
The following procedure needs to be applied on each cluster node in your Jahia 7.3 or Jahia 8 environment. It is however not necessary to shutdown the entire cluster, and proceed using a rolling restart (stop a node, apply the patch and restart the node while the other cluster nodes are up and running).
- Download the patched spring-beans-3.2.18.jahia1_OSGI.jar library
- Stop your server / cluster node
- Remove the spring-beans-*.jar lib file from the
tomcat/webapps/ROOT/WEB-INF/libfolder - Add the previously download spring-beans-3.2.18.jahia1_OSGI.jar in the
tomcat/webapps/ROOT/WEB-INF/libfolder - Restart your server / cluster node
- Repeat with the other cluster nodes
To address the Spring Web Flow attack vector
Jahia 8.1 relies on an upgraded version of the Spring Web Flow library protecting it from this attack vector, the deployement, or update, of the Webflow filter module is not required. As it is not possible to upgrade the version of Spring Web Flow for the previous Jahia versions, the Webflow filter module has been updated to include the protection against this vulnerability.
- Download the latest version of the Webflow Filter module compatible with your Jahia version
- webflow-filter 1.2.0 compatible with Jahia 7.3
- webflow-filter 2.2.0 compatible with Jahia 8
- Deploy and start the webflow-filter module on your environment