Attention: CVE-2022-22965 Spring Framework RCE Investigation

SrivathsavGandrathi · April 1, 2022, 7:30am

A Critical Remote Code Execution vulnerability in Spring Framework has been discovered. As per Spring’s security advisory, this vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. CVE-2022-22965 has been published and will be used to track this specific bug.

Vulnerability Summary

The Spring Framework insecurely handles requests which may allow a remote attacker to execute arbitrary code (RCE).

How to tell if an app is impacted

Cloud: If your ACSB version is < 2.3.3 or you are using vulnerable version of Spring Framework mentioned in the Spring security advisory
Server and Data Center: You are using vulnerable version of Spring Framework mentioned in the Spring security advisory

Atlassian’s Investigation

Atlassian is currently investigating the CVE-2022-22965 and its risk posed to our customers and partners. ACSB (Atlassian Connect Spring Boot) is Atlassian’s officially supported Connect Java framework that builds on Spring Boot to handle tasks like JWT authentication, signing, and persistence of host details, etc. We have confirmed that ACSB is using vulnerable version of Spring Boot, ACSB version 2.3.3 has been released to mitigate this vulnerability.

Remediation Advice

If you own a marketplace app that uses Atlassian Connect Spring Boot (ACSB) or Java/Spring Framework directly or indirectly, you should:

Update ACSB version to 2.3.3. You should also update any Spring Boot references to your project to the 2.6.6 version.
If you are not using ACSB, but are using Java/Spring for your Atlassian Connect app, please check advisories CVE-2022-22965 and CVE-2022-22963 to see if your app/service is vulnerable and update your dependencies as required.

We are continuing to monitor the situation for our apps, and we will provide updates as soon as we have them. In the meantime, Atlassian strongly recommends that all partners review each of their apps for usage of vulnerable versions of Spring Framework mentioned in this advisory. To scan your repositories, you may choose to use Snyk’s public and free scanning tool, which we’ve linked here: Snyk | Developer security | Develop fast. Stay secure.

If you have any questions or concerns, please reply to this thread or raise a support request at Developer Support Portal.

Resources

StephanMueller · April 4, 2022, 8:45am

Ahoi! Thanks for the post.
Can you provide tips on how to identify if we have such apps installed in our on-premise products (bamboo, jira, confluence, bitbucket)?

aragot · April 4, 2022, 3:11pm

Are old plugins also affected? Doesn’t Confluence Server/Data Center use Spring?

snehakumar · April 4, 2022, 3:25pm

How can we know which plugin owners have taken the required steps to update the spring version and which plugins are impacted ?

SrivathsavGandrathi · April 4, 2022, 8:48pm

Hi @StephanMueller, Atlassian Connect Spring Boot ( ACSB) is a framework used to develop Cloud apps and vulnerable version of ACSB does not affect our on-premise products. We are currently investigating Cloud apps on marketplace and we will reach out to respective partners for mitigation in case we find any vulnerable apps. Meanwhile, customers can directly reach out to app developers for this information.
@snehakumar FYI

SrivathsavGandrathi · April 4, 2022, 8:57pm

Hi @aragot, FYI we have also published a public FAQ page - FAQ for CVE-2022-22965 | Atlassian Support | Atlassian Documentation for Atlassian products status on CVE-2022-22965. Please follow this page for any updates on our on-premises Server/Data Center products. Can you please clarify on what you mean by old plugins?

TakayukiHirota · April 5, 2022, 3:37am

About FAQ for CVE-2022-22965 | Atlassian Support | Atlassian Documentation.

Are Marketplace apps vulnerable to CVE-2022-22965?

Do “Marketplace apps” mean Cloud/Server/DC apps? or Cloud apps only?

aragot · April 5, 2022, 7:32am

Hi Srivathsav,

The public FAQ page, section “Are Marketplace apps vulnerable to …”, only talks about Cloud plugins. It doesn’t tell whether P2 plugins are vulnerable. I understand that Confluence itself doesn’t seem vulnerable, but is there something to activate in P2 plugins to ensure we’re not vulnerable either?

Thank you

SrivathsavGandrathi · April 5, 2022, 11:26pm

@TakayukiHirota / @aragot apologies for any ambiguity, Server and Data Center apps are vulnerable only if they are using the vulnerable Spring frameworks mentioned in CVE-2022-22965. Note that actual exploitation may depend on the impact requirements stated in Spring advisory. Atlassian is currently actively investigating all Cloud, Server and Data Center apps in marketplace and will be filing a vulnerability ticket to the affected partner when we discover evidence of this vulnerability in the app.

is there something to activate in P2 plugins to ensure we’re not vulnerable either?

We are currently not aware of any such workarounds other than those stated in https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement.

Regards,
Srivathsav

TakayukiHirota · April 6, 2022, 1:22am

Hi @SrivathsavGandrathi , thank you for the clarification! We’ll watch AMS dashboard.

OnucheIdoko1 · April 14, 2022, 3:07pm

Hi @SrivathsavGandrathi

I am currently facing this issue CompletableFuture and atlassian-connect-spring-boot v2.3.3 and Spring Boot v2.6.6

Please, can you help me to resolve this?

Regards,
Onuche

SrivathsavGandrathi · April 14, 2022, 7:38pm

@OnucheIdoko1 Please reach out to our Developer Support Portal for any support related to bugs.

Thanks,
Srivathsav

OnucheIdoko1 · April 18, 2022, 6:30am

Okay, Thanks @SrivathsavGandrathi

nferi · April 22, 2022, 2:47am

Hi Community,

My company is developing a P2 plugin for Jira Data Center 8.5 and I use the atlas-debug command to spin up local instances for testing/debugging. The IT security team scanned my computer and asked me to remove vulnerable files:

Spring beans jars within the vulnerable version range found in the following war files: 
.../plugin/target/container/tomcat8x/cargo-jira-home/webapps/jira.war
.../plugin/target/jira/jira.war

Even if I clean mt target directory, it will be-generated later when I use atlas-debug again.
I have no control over the Spring dependencies.
What is the solution/workaround here? Do we need to wait for Atlassian to release a fix for all supported versions, so the new Spring dependencies will be used?

Dependency tree of the plugin, grepped to “org.springframework”:

[INFO] |  |  |  \- org.springframework:spring-web:jar:5.1.13.RELEASE:provided

[INFO] |  +- org.springframework.security:spring-security-core:jar:5.2.1.RELEASE:provided

[INFO] |  +- org.springframework:spring-core:jar:5.1.18.RELEASE:provided

[INFO] |  |  \- org.springframework:spring-jcl:jar:5.1.18.RELEASE:provided

[INFO] |  +- org.springframework:spring-beans:jar:5.1.18.RELEASE:provided

[INFO] |  +- org.springframework.ldap:spring-ldap-core:jar:2.3.2.RELEASE:provided

[INFO] |  +- org.springframework:spring-tx:jar:5.1.18.RELEASE:provided

[INFO] |  |     +- org.springframework:spring-hibernate2:jar:2.0.6:provided

[INFO] |  |     |  +- org.springframework:spring-dao:jar:2.0.6:provided

[INFO] |  |     |  \- org.springframework:spring-jdbc:jar:2.0.6:provided

[INFO] +- org.springframework:spring-context:jar:5.1.18.RELEASE:provided

[INFO] |  +- org.springframework:spring-aop:jar:5.1.18.RELEASE:provided

[INFO] |  \- org.springframework:spring-expression:jar:5.1.18.RELEASE:provided

Environment info:

ATLAS Version:    8.2.7
ATLAS Home:       /Applications/Atlassian/atlassian-plugin-sdk-8.2.6
ATLAS Scripts:    /Applications/Atlassian/atlassian-plugin-sdk-8.2.6/bin
ATLAS Maven Home: /Applications/Atlassian/atlassian-plugin-sdk-8.2.6/apache-maven-3.5.4
AMPS Version:     8.1.2

Java version: 1.8.0_281, vendor: Oracle Corporation, runtime: /Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/jre
Default locale: en_GB, platform encoding: UTF-8
OS name: "mac os x", version: "10.16", arch: "x86_64", family: "mac"

UPDATE

The Spring 5.1.18 dependencies are coming from the jira-core.
https://mvnrepository.com/artifact/com.atlassian.jira/jira-core/8.20.0

Regards,
Ferenc

clouless · April 23, 2022, 6:39am

We are using the confluence platform POM and scope=provided for spring beans.
What do we need to do? Is there a minimum version for the plattform pom to use?

        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-beans</artifactId>
            <scope>provided</scope>
        </dependency>

Platform Pom

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>com.atlassian.confluence</groupId>
                <artifactId>confluence-plugins-platform-pom</artifactId>
                <version>${confluence.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

confluence.version=6.15.0 ==> is what we build against to be compatible to old versions

Can you tell me which plattform pom would be the best to support as many older confluence versions?

thanks,
Bernhard

UPDATE: I tried to build against different version and this is the result:

7.13.0  org.springframework:spring-beans:jar:5.1.18.RELEASE:provided
7.13.5  org.springframework:spring-beans:jar:5.1.18.RELEASE:provided
7.15.0  org.springframework:spring-beans:jar:5.1.18.RELEASE:provided
7.16.1  org.springframework:spring-beans:jar:5.3.10:provided
7.17.0  org.springframework:spring-beans:jar:5.3.10:provided

I usually try to make apps compatible to latest LTS which is 7.13.x
=> Is there any way to do it?
=> The hint from AMPS tickets is: Upgrade org.springframework:spring-beans to version 5.2.20, 5.3.18 or higher
=> No version provided offers this
=> Should we put the version in manually and not use provided? Is this really something useful to do, or can we close the AMPS ticket als false-positive?

@SrivathsavGandrathi any tips? thanks

when I change the version manually i get warnings

[WARNING]
[WARNING] Some problems were encountered while building the effective model for foo-plugin:4.1.0
[WARNING] 'dependencies.dependency.scope' for org.springframework:spring-beans:jar must be one of [provided, compile, runtime, test, system] but is '5.2.20'. @ line 50, column 20
[WARNING]
[WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
[WARNING]
[WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
[WARNING]

jnmiller15 · April 23, 2022, 5:03pm

I have the same issue as @clouless except my plugin targets bitbucket server version 6. Adding a version breaks.

SrivathsavGandrathi · April 26, 2022, 12:04am

Hi @clouless ,

Thanks for raising this, If your application does not explicitly specify the vulnerable version of Spring in its POM file and instead points to the platform bundled version, there is nothing the app needs to do here and the AMS ticket can be marked as a False Positive. I will go ahead and update your AMS ticket.
cc @jnmiller15

Regards,
Srivathsav

SrivathsavGandrathi · April 26, 2022, 12:14am

Hi @nferi ,

Could you please raise a support request for this question since the scan is on product artifacts?

Thanks,
Srivathsav

guowuHu · May 13, 2022, 7:31am

Hi @SrivathsavGandrathi , We use confluence which version is 7.13.2. The license is for data center. When can we got a patch to fix this issue?

nferi · May 13, 2022, 9:16am

Hi @guowuHu,

I contacted the Atlassian dev support and they advised me to follow this issue related to the CVE as they will post updates there:
https://jira.atlassian.com/browse/JSWSERVER-21350

In case of Confluence:
https://jira.atlassian.com/browse/CONFSERVER-78586

Regards,
Ferenc