Spring4Shell & Lansweeper

Recently a new vulnerability in the Java Spring framework dubbed Spring4Shell. CVE-2022-22965 has a potentially large impact as many applications use the Spring framework. Neither Lansweeper, nor its 3rd party components are vulnerable or affected.

Similar to Log4j, the Spring4Shell vulnerability concerns a Java library that can potentially be used in many applications. According to ContrasSecurity, the Spring Core Framework is used in 74% of Java applications.

Similar to Log4j the Dutch National Cyber Security Center, created a public GitHub with their collected information including the requirements for the specific vulnerable scenario, tools/scripts to scan for the specific Java Framework, and more.

A vulnerable scenario as published by Spring:

  • Running on JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as a traditional WAR and deployed in a standalone Tomcat instance. Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted.
  • spring-webmvc or spring-webflux dependency.
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.

Our security team has evaluated Lansweeper and all of the third-party components to verify the CVE-2022-22965. After the evaluation, we're happy to confirm that neither Lansweeper nor its 3rd party components are vulnerable or affected by the Spring4Shell vulnerability.

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

You may also like...

Try Lansweeper for Free

Learn why Lansweeper is used by thousands of enterprises worldwide.​