Spring4Shell and ColdFusion
I've had a bunch of people ask me if ColdFusion / Lucee servers need to worry about the recent Java vulnerability in Spring, nick named Spring4Shell, or more formally known as CVE-2022-22965.
To the best of my knowledge ColdFusion and Lucee do not make use of the Java Spring Framework by default, and do not include any of the vulnerable Spring jars by default. Disclaimer: I haven't done an exhaustive analysis, and I haven't checked every single version of ColdFusion or Lucee.
I used JFrog's Spring Tools scanner to scan both a ColdFusion 2021 and a Lucee 5.3 installation, neither returned any findings.
According to Spring's blog entry about this issue you may be impacted if you are:
- Running on JDK 9 or higher
- Apache Tomcat as the Servlet container.
- Packaged as a traditional WAR and deployed in a standalone Tomcat instance. Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted.
- spring-webmvc or spring-webflux dependency.
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.
Most ColdFusion Servers would be running JDK 9 or higher, and Apache Tomcat, but probably do not have the spring-webmvc or spring-webflux dependency.
I have had some people tell me FuseGuard was catching some Spring4Shell exploit attempts. You might see FuseGuard's Scope Injection Filter block requests that look like this:
Like this? Follow me ↯Tweet Follow @pfreitag
Spring4Shell and ColdFusion was first published on April 06, 2022.
If you like reading about java, security, coldfusion, or lucee then you might also like:
- Log4j CVE-2021-44228 Log4Shell Vulnerability on ColdFusion / Lucee
- Updating Java on ColdFusion or Lucee
- Scope Injection in CFML
- HashDOS and ColdFusion
- Using AntiSamy with ColdFusion
- Log4j 1.x Vulnerability Mitigation Guide
- Log4Shell Vulnerability Timeline
- How to get Log4j Version at Runtime in Java
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.