Spring Framework RCE, CVE-2022-22965

A remote code execution vulnerability has been identified in the Spring Framework.

Spring4Shell in Jenkins Core and Plugins

The Jenkins security team has confirmed that the Spring vulnerability is not affecting Jenkins Core. There is no impact because we are using Stapler as a servlet, and neither Spring MVC nor Spring WebFlux.

An analysis was done on the plugins to determine whether some were using Spring in a dangerous way. No impact was found.

The dangerous library is included as a dependency of spring-security-web, which is not yet updated to include the fixed version. The presence of Spring Framework is not enough to make the application vulnerable.

Spring4Shell in the Jenkins Infrastructure

The Jenkins infrastructure and security teams have confirmed that the Spring vulnerability is not affecting any part of the Jenkins infrastructure.

The following applications are Java applications that mention Spring as a dependency:

Further Updates

We may update this blog post, if there are any corrections to be made, and in that case we’ll clearly call those out at the top.

Wadeck Follonier Wadeck is the Jenkins security officer, leading the security team in improving Jenkins security. He likes to provide solutions that are both useful and easy to use.
Discuss

This is a companion discussion topic for the original entry at https://www.jenkins.io/blog/2022/03/31/spring-rce-CVE-2022-22965/

Is Jenkins vulnerable to Spring Framework vulnerabilities posted in CVE-2022-22950, CVE-2022-22970, and/or CVE-2022-22971? If not (or if so), could you kindly update this blog post as it seems to be specific to CVE-2022-22965?

I am also looking for this information for 22970 and 2297`

Please create a new post for these issues. This blog post is about a specific issue, not a place to ask for help ongoing