Page History
[updated on 2022 04 04 1806 06 16:00 GMT+1]
For more information, see spring blog and CVE-2022-22965.
...
Change log
| Timestamp | Description |
|---|---|
| 2022 06 06 16:00 GMT+1 | 2021x Refresh2 HF3 (hot fix) with Spring Framework 5.3.18 is released as Remediation option. |
| 2022 04 22 16:00 GMT+1 | Added Remediation option for Collaboration tools 2021x GA version. |
| 2022 04 04 18:00 GMT+1 | First publication. Collaboration tools affected, see Remediation. |
Spring Framework (Spring4Shell) version 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 is a part of the following products. Action to perform.
...
Remediation instructions for collaboration tools (Magic Collaboration Studio, Teamwork Cloud, Cameo Collaborator for Teamwork Cloud) 2021x Refresh2
Option 1
Download and install 2021x Refresh2 HF3 (hot fix). This is a new full 2021x Refresh2 version build with Spring Framework version 5.3.18.
See Downloading installation files
Option 2
Before starting with remediation, please download https://repo.spring.io/artifactory/release/org/springframework/spring/5.3.18/spring-5.3.18-dist.zip
...
Jar file to delete | Replace with |
spring-aop-5.13.70.jar | spring-aop-5.3.18.jar |
spring-beans-5.13.70.jar | spring-beans-5.3.18.jar |
spring-context-5.13.70.jar | spring-context-5.3.18.jar |
spring-context-support-5.13.70.jar | spring-context-support-5.3.18.jar |
spring-core-5.13.70.jar | spring-core-5.3.18.jar |
spring-expression-5.13.70.jar | spring-expression-5.3.18.jar |
spring-jcl-5.13.70.jar | spring-jcl-5.3.18.jar |
spring-web-5.13.70.jar | spring-web-5.3.18.jar |
spring-webmvc-5.13.70.jar | spring-webmvc-5.3.18.jar |
d. compress the content of extracted webapp.war file
e. rename .zip with the webapp.war
f. replace original webapp.war file with modified one in <webapp.install.dir>/webapps
g. start WebApp service.
Remediation instructions for collaboration tools (Magic Collaboration Studio, Teamwork Cloud, Cameo Collaborator for Teamwork Cloud) 2021x GA
Before starting with remediation, please download https://repo.spring.io/artifactory/release/org/springframework/spring/5.3.18/spring-5.3.18-dist.zip
The required files for remediation could be found in spring-framework-5.3.18/libs folder.
- Stop WebApp service
- Go to <webapp.install.dir>/webapps
- Delete folder webapp/
- Copy webapp.war file to a temp directory. In the temp directory:
- unzip webapp.war file
- go to webapp/WEB-INF/lib
- perform the modification:
Jar file to delete | Replace with |
spring-aop-5.2.5.jar | spring-aop-5.3.18.jar |
spring-beans-5.2.5.jar | spring-beans-5.3.18.jar |
spring-context-5.2.5.jar | spring-context-5.3.18.jar |
spring-context-support-5.2.5.jar | spring-context-support-5.3.18.jar |
spring-core-5.2.5.jar | spring-core-5.3.18.jar |
spring-expression-5.2.5.jar | spring-expression-5.3.18.jar |
spring-jcl-5.2.5.jar | spring-jcl-5.3.18.jar |
spring-web-5.2.5.jar | spring-web-5.3.18.jar |
spring-webmvc-5.2.5.jar | spring-webmvc-5.3.18.jar |
d. compress the content of extracted webapp.war file
e. rename .zip with the webapp.war
f. replace original webapp.war file with modified one in <webapp.install.dir>/webapps
g. start WebApp service.
...
Jar file to delete | Replace with |
spring-aop-5.31.7.0RELEASE.jar | spring-aop-5.3.18.jar |
spring-beans-5.1.37.0RELEASE.jar | spring-beans-5.3.18.jar |
spring-context-5.31.7.0RELEASE.jar | spring-context-5.3.18.jar |
spring-context-support-5.1.37.0RELEASE.jar | spring-context-support-5.3.18.jar |
spring-core-5.1.37.0RELEASE.jar | spring-core-5.3.18.jar |
spring-expression-5.31.7.0RELEASE.jar | spring-expression-5.3.18.jar |
spring-jcl-5.1.37.0RELEASE.jar | spring-jcl-5.3.18.jar |
spring-web-5.1.37.0RELEASE.jar | spring-web-5.3.18.jar |
spring-webmvc-5.31.7.0RELEASE.jar | spring-webmvc-5.3.18.jar |
d. compress the content of extracted webapp.war file
e. rename .zip with the webapp.war
f. replace original webapp.war file with modified one in <webapp.install.dir>/webapps directory
g. start WebApp service.
...