I've had a bunch of people ask me if ColdFusion / Lucee servers need to worry about the recent Java vulnerability in Spring, nick named Spring4Shell, or more formally known as CVE-2022-22965.
To the best of my knowledge ColdFusion and Lucee do not make use of the Java Spring Framework by default, and do not include any of the vulnerable Spring jars by default. Disclaimer: I haven't done an exhaustive analysis, and I haven't checked every single version of ColdFusion or Lucee.
I used JFrog's Spring Tools scanner to scan both a ColdFusion 2021 and a Lucee 5.3 installation, neither returned any findings.
According to Spring's blog entry about this issue you may be impacted if you are:
- Running on JDK 9 or higher
- Apache Tomcat as the Servlet container.
- Packaged as a traditional WAR and deployed in a standalone Tomcat instance. Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted.
- spring-webmvc or spring-webflux dependency.
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.
Most ColdFusion Servers would be running JDK 9 or higher, and Apache Tomcat, but probably do not have the spring-webmvc or spring-webflux dependency.
I have had some people tell me FuseGuard was catching some Spring4Shell exploit attempts. You might see FuseGuard's Scope Injection Filter block requests that look like this:
form.CLASS.MODULE.CLASSLOADER.RESOURCES.CONTEXT.PARENT.PIPELINE.FIRST.PATTERN
Comments
Wonderful, thanks so much, Pete.