On March 30, 2022, a serious Zero-Day RCE Vulnerability in the popular Spring Framework was disclosed.
This vulnerability puts a wide variety of Web Apps at risk of remote attack. Potential attackers need to know the address, including the application's endpoint, to exploit the vulnerability. Applications not exposed to the internet are safe.
The vulnerability affects applications running on JDK 9, using Apache Tomcat as the Servlet container & Spring framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19.
This vulnerability has been patched in Spring Framework 5.3.18 & 5.2.20.
Spring Framework & Hybrid Cloud Platform
The Spring framework is not widely used in our Hybrid Cloud Platform (HCP) and we have reviewed the HCP & EOP Legacy application sources to identify any potential areas where this may be used.
Currently, only our Xerox web client uses the Spring framework but does not use the Apache Tomcat Servlet containers which is a component of this vulnerability.
To ensure we are fully up-to-date, we will update the Spring Framework to the latest version for the Xerox web client for release 3.22.
More information regarding the vulnerability can be found here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Related Knowledge Base Articles
Cloud vulnerabilities can happen, and the EveryonePrint team does our very best to stay ahead of vulnerabilities and eliminate risks in a short time. Click the links below to learn more about cloud vulnerability: