Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

[updated on 2022 04 04 1806 06 16:00 GMT+1]

For more information, see spring blog and CVE-2022-22965.

Table of Contents

Change log

TimestampDescription
2022 06 06 16:00 GMT+12021x Refresh2 HF3 (hot fix) with Spring Framework 5.3.18 is released as Remediation option.
2022 04 22 16:00 GMT+1Added Remediation option for Collaboration tools 2021x GA version.
2022 04 04 18:00 GMT+1

First publication. Collaboration tools affected, see Remediation.

Spring Framework (Spring4Shell) version 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 is a part of the following products. Action to perform.


CATIA Magic portfolio

  • Magic Collaboration Studio (release 19.0 SP4, 2021x GA, 2021x Refresh1, 2021x Refresh2)

No Magic portfolio

  • Teamwork Cloud (release 19.0 SP4, 2021x GA, 2021x Refresh1, 2021x Refresh2)
  • Cameo Collaborator for Teamwork Cloud (release  19.0 SP4, 2021x GA, 2021x Refresh1, 2021x Refresh2)

To Do:  You have action to perform. See Remediation.


Remediation

Remediation instructions for collaboration tools (Magic Collaboration Studio, Teamwork Cloud, Cameo Collaborator for Teamwork Cloud) 2021x Refresh2 

Option 1

Download and install 2021x Refresh2 HF3 (hot fix). This is a new full 2021x Refresh2 version build with Spring Framework version 5.3.18. 

See Downloading installation files

Option 2

Before starting with remediation, please download https://repo.spring.io/artifactory/release/org/springframework/spring/5.3.18/spring-5.3.18-dist.zip

...

h. compress the content of extracted .war file
i. rename .zip with the .war file name, for example: admin.war
j. replace original .war file with modified one in <webapp.install.dir>/webapps.
k. repeat the modification for all .war files.
l. start WebApp service.

Remediation instructions for collaboration tools (Magic Collaboration Studio, Teamwork Cloud, Cameo Collaborator for Teamwork Cloud) 2021x Refresh1

Before starting with remediation, please download https://repo.spring.io/artifactory/release/org/springframework/spring/5.3.18/spring-5.3.18-dist.zip

...

Jar file to delete

Replace with

spring-aop-5.13.70.jar

spring-aop-5.3.18.jar

spring-beans-5.13.70.jar

spring-beans-5.3.18.jar

spring-context-5.13.70.jar

spring-context-5.3.18.jar

spring-context-support-5.13.70.jar

spring-context-support-5.3.18.jar

spring-core-5.13.70.jar

spring-core-5.3.18.jar

spring-expression-5.13.70.jar

spring-expression-5.3.18.jar

spring-jcl-5.13.70.jar

spring-jcl-5.3.18.jar

spring-web-5.13.70.jar

spring-web-5.3.18.jar

spring-webmvc-5.13.70.jar

spring-webmvc-5.3.18.jar

d. compress the content of extracted webapp.war file
e. rename .zip with the webapp.war
f. replace original webapp.war file with modified one in <webapp.install.dir>/webapps
g. start WebApp service. 

Remediation instructions for collaboration tools (Magic Collaboration Studio, Teamwork Cloud, Cameo Collaborator for Teamwork Cloud) 2021x GA

Before starting with remediation, please download https://repo.spring.io/artifactory/release/org/springframework/spring/5.3.18/spring-5.3.18-dist.zip

The required files for remediation could be found in spring-framework-5.3.18/libs folder. 

  1. Stop WebApp service
  2. Go to <webapp.install.dir>/webapps
  3. Delete folder webapp/
  4. Copy webapp.war file to a temp directory. In the temp directory:
    1. unzip webapp.war file
    2. go to webapp/WEB-INF/lib
    3. perform the modification:

Jar file to delete

Replace with

spring-aop-5.2.5.jar

spring-aop-5.3.18.jar

spring-beans-5.2.5.jar

spring-beans-5.3.18.jar

spring-context-5.2.5.jar

spring-context-5.3.18.jar

spring-context-support-5.2.5.jar

spring-context-support-5.3.18.jar

spring-core-5.2.5.jar

spring-core-5.3.18.jar

spring-expression-5.2.5.jar

spring-expression-5.3.18.jar

spring-jcl-5.2.5.jar

spring-jcl-5.3.18.jar

spring-web-5.2.5.jar

spring-web-5.3.18.jar

spring-webmvc-5.2.5.jar

spring-webmvc-5.3.18.jar

d. compress the content of extracted webapp.war file
e. rename .zip with the webapp.war
f. replace original webapp.war file with modified one in <webapp.install.dir>/webapps
g. start WebApp service. 

Remediation instructions for collaboration tools (Magic Collaboration Studio, Teamwork Cloud, Cameo Collaborator for Teamwork Cloud) 19.0 SP4

Before starting with remediation, please download https://repo.spring.io/artifactory/release/org/springframework/spring/5.3.18/spring-5.3.18-dist.zip

...

Jar file to delete

Replace with

spring-aop-5.31.7.0RELEASE.jar

spring-aop-5.3.18.jar

spring-beans-5.1.37.0RELEASE.jar

spring-beans-5.3.18.jar

spring-context-5.31.7.0RELEASE.jar

spring-context-5.3.18.jar

spring-context-support-5.1.37.0RELEASE.jar

spring-context-support-5.3.18.jar

spring-core-5.1.37.0RELEASE.jar

spring-core-5.3.18.jar

spring-expression-5.31.7.0RELEASE.jar

spring-expression-5.3.18.jar

spring-jcl-5.1.37.0RELEASE.jar

spring-jcl-5.3.18.jar

spring-web-5.1.37.0RELEASE.jar

spring-web-5.3.18.jar

spring-webmvc-5.31.7.0RELEASE.jar

spring-webmvc-5.3.18.jar

d. compress the content of extracted webapp.war file
e. rename .zip with the webapp.war
f. replace original webapp.war file with modified one in <webapp.install.dir>/webapps directory
g. start WebApp service.

 

...