Page tree


[updated on 2022 04 22 16:00 GMT+1]

For more information, see spring blog and CVE-2022-22965.

Change log

TimestampDescription
2022 04 22 16:00 GMT+1Added Remediation option for Collaboration tools 2021x GA version.
2022 04 04 18:00 GMT+1

First publication. Collaboration tools affected, see Remediation.

Spring Framework (Spring4Shell) version 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 is a part of the following products. Action to perform.


CATIA Magic portfolio

  • Magic Collaboration Studio (release 19.0 SP4, 2021x GA, 2021x Refresh1, 2021x Refresh2)

No Magic portfolio

  • Teamwork Cloud (release 19.0 SP4, 2021x GA, 2021x Refresh1, 2021x Refresh2)
  • Cameo Collaborator for Teamwork Cloud (release  19.0 SP4, 2021x GA, 2021x Refresh1, 2021x Refresh2)

To Do:  You have action to perform. See Remediation.


Remediation

Remediation instructions for collaboration tools (Magic Collaboration Studio, Teamwork Cloud, Cameo Collaborator for Teamwork Cloud) 2021x Refresh2 

Before starting with remediation, please download https://repo.spring.io/artifactory/release/org/springframework/spring/5.3.18/spring-5.3.18-dist.zip

The required files for remediation could be found in spring-framework-5.3.18/libs folder.

  1. Stop WebApp service
  2. Go to <webapp.install.dir>/webapps
  3. Delete folders:
    1. admin/
    2. collaborator/
    3. document-exporter/
    4. resource-usage-map/
    5. resources/
    6. webapp/
    7. copy .war file (admin.war/collaborator.war/document-exporter.war/resource-usage-map.war/resources.war/webapp.war) to a temp directory. In the temp directory:
      1. unzip .war file
      2. go to <war.file.name>/WEB-INF/lib
      3. perform the modification:

Jar file to delete

Replace with

spring-aop-5.3.8.jar

spring-aop-5.3.18.jar

spring-beans-5.3.8.jar

spring-beans-5.3.18.jar

spring-context-5.3.8.jar

spring-context-5.3.18.jar

spring-context-support-5.3.8.jar

spring-context-support-5.3.18.jar

spring-core-5.3.8.jar

spring-core-5.3.18.jar

spring-expression-5.3.8.jar

spring-expression-5.3.18.jar

spring-jcl-5.3.8.jar

spring-jcl-5.3.18.jar

spring-web-5.3.8.jar

spring-web-5.3.18.jar

spring-webmvc-5.3.8.jar

spring-webmvc-5.3.18.jar

h. compress the content of extracted .war file
i. rename .zip with the .war file name, for example: admin.war
j. replace original .war file with modified one in <webapp.install.dir>/webapps.
k. repeat the modification for all .war files.
l. start WebApp service.

Remediation instructions for collaboration tools (Magic Collaboration Studio, Teamwork Cloud, Cameo Collaborator for Teamwork Cloud) 2021x Refresh1

Before starting with remediation, please download https://repo.spring.io/artifactory/release/org/springframework/spring/5.3.18/spring-5.3.18-dist.zip

The required files for remediation could be found in spring-framework-5.3.18/libs folder. 

  1. Stop WebApp service
  2. Go to <webapp.install.dir>/webapps
  3. Delete folder webapp/
  4. Copy webapp.war file to a temp directory. In the temp directory:
    1. unzip webapp.war file
    2. go to webapp/WEB-INF/lib
    3. perform the modification:

Jar file to delete

Replace with

spring-aop-5.3.0.jar

spring-aop-5.3.18.jar

spring-beans-5.3.0.jar

spring-beans-5.3.18.jar

spring-context-5.3.0.jar

spring-context-5.3.18.jar

spring-context-support-5.3.0.jar

spring-context-support-5.3.18.jar

spring-core-5.3.0.jar

spring-core-5.3.18.jar

spring-expression-5.3.0.jar

spring-expression-5.3.18.jar

spring-jcl-5.3.0.jar

spring-jcl-5.3.18.jar

spring-web-5.3.0.jar

spring-web-5.3.18.jar

spring-webmvc-5.3.0.jar

spring-webmvc-5.3.18.jar

d. compress the content of extracted webapp.war file
e. rename .zip with the webapp.war
f. replace original webapp.war file with modified one in <webapp.install.dir>/webapps
g. start WebApp service. 

Remediation instructions for collaboration tools (Magic Collaboration Studio, Teamwork Cloud, Cameo Collaborator for Teamwork Cloud) 2021x GA

Before starting with remediation, please download https://repo.spring.io/artifactory/release/org/springframework/spring/5.3.18/spring-5.3.18-dist.zip

The required files for remediation could be found in spring-framework-5.3.18/libs folder. 

  1. Stop WebApp service
  2. Go to <webapp.install.dir>/webapps
  3. Delete folder webapp/
  4. Copy webapp.war file to a temp directory. In the temp directory:
    1. unzip webapp.war file
    2. go to webapp/WEB-INF/lib
    3. perform the modification:

Jar file to delete

Replace with

spring-aop-5.2.5.jar

spring-aop-5.3.18.jar

spring-beans-5.2.5.jar

spring-beans-5.3.18.jar

spring-context-5.2.5.jar

spring-context-5.3.18.jar

spring-context-support-5.2.5.jar

spring-context-support-5.3.18.jar

spring-core-5.2.5.jar

spring-core-5.3.18.jar

spring-expression-5.2.5.jar

spring-expression-5.3.18.jar

spring-jcl-5.2.5.jar

spring-jcl-5.3.18.jar

spring-web-5.2.5.jar

spring-web-5.3.18.jar

spring-webmvc-5.2.5.jar

spring-webmvc-5.3.18.jar

d. compress the content of extracted webapp.war file
e. rename .zip with the webapp.war
f. replace original webapp.war file with modified one in <webapp.install.dir>/webapps
g. start WebApp service. 

Remediation instructions for collaboration tools (Magic Collaboration Studio, Teamwork Cloud, Cameo Collaborator for Teamwork Cloud) 19.0 SP4

Before starting with remediation, please download https://repo.spring.io/artifactory/release/org/springframework/spring/5.3.18/spring-5.3.18-dist.zip

The required files for remediation could be found in spring-framework-5.3.18/libs folder.

  1. Stop WebApp service.
  2. Go to <webapp.install.dir>/webapps 
  3. Delete folder webapp/ 
  4. Copy webapp.war file to a temp directory. In the temp directory:
    1. unzip webapp.war file
    2. go to webapp/WEB-INF/lib
    3. perform the modification:

Jar file to delete

Replace with

spring-aop-5.1.7.RELEASE.jar

spring-aop-5.3.18.jar

spring-beans-5.1.7.RELEASE.jar

spring-beans-5.3.18.jar

spring-context-5.1.7.RELEASE.jar

spring-context-5.3.18.jar

spring-context-support-5.1.7.RELEASE.jar

spring-context-support-5.3.18.jar

spring-core-5.1.7.RELEASE.jar

spring-core-5.3.18.jar

spring-expression-5.1.7.RELEASE.jar

spring-expression-5.3.18.jar

spring-jcl-5.1.7.RELEASE.jar

spring-jcl-5.3.18.jar

spring-web-5.1.7.RELEASE.jar

spring-web-5.3.18.jar

spring-webmvc-5.1.7.RELEASE.jar

spring-webmvc-5.3.18.jar

d. compress the content of extracted webapp.war file
e. rename .zip with the webapp.war
f. replace original webapp.war file with modified one in <webapp.install.dir>/webapps directory
g. start WebApp service.