Pete Freitag Pete Freitag

Spring4Shell and ColdFusion

Updated: April 06, 2022
coldfusionjava

I've had a bunch of people ask me if ColdFusion / Lucee servers need to worry about the recent Java vulnerability in Spring, nick named Spring4Shell, or more formally known as CVE-2022-22965.

To the best of my knowledge ColdFusion and Lucee do not make use of the Java Spring Framework by default, and do not include any of the vulnerable Spring jars by default. Disclaimer: I haven't done an exhaustive analysis, and I haven't checked every single version of ColdFusion or Lucee.

I used JFrog's Spring Tools scanner to scan both a ColdFusion 2021 and a Lucee 5.3 installation, neither returned any findings.

According to Spring's blog entry about this issue you may be impacted if you are:

  • Running on JDK 9 or higher
  • Apache Tomcat as the Servlet container.
  • Packaged as a traditional WAR and deployed in a standalone Tomcat instance. Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted.
  • spring-webmvc or spring-webflux dependency.
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.

Most ColdFusion Servers would be running JDK 9 or higher, and Apache Tomcat, but probably do not have the spring-webmvc or spring-webflux dependency.

I have had some people tell me FuseGuard was catching some Spring4Shell exploit attempts. You might see FuseGuard's Scope Injection Filter block requests that look like this:

form.CLASS.MODULE.CLASSLOADER.RESOURCES.CONTEXT.PARENT.PIPELINE.FIRST.PATTERN

Like this? Follow me ↯

Spring4Shell and ColdFusion was first published on April 06, 2022.

If you like reading about java, security, coldfusion, or lucee then you might also like:

FuseGuard Web App Firewall for ColdFusion

The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.

Comments

Wonderful, thanks so much, Pete.
by Charlie Arehart on 04/06/2022 at 10:36:42 PM UTC

Post a Comment