Impact of CVE-2022-22965 (Spring4Shell) to Ambientia managed environments
Incident
Report for Ambientia
Resolved
This incident has been resolved.
Monitoring
We have received information from both Atlassian (see their FAQ here) and Liferay stating that the core software from either vendor is not vulnerable to the known, existing exploits. Both Atlassian and Liferay will issue fixes for their software that addresses this issue by including a fixed version of the Spring Framework out of abundance of caution.
However, third party extensions might be vulnerable. We are currently working with Atlassian plugin vendors to assess the situation on a case-by-case basis.
Ambientia has identified environments that are directly affected and fixes for services that require immediate action are taken care of. As stated previously, even though majority of services managed by Ambientia that include Spring Framework are not currently affected, we maintain the position that it is likely that additional attack vectors will surface, which requires upgrades in many services that are currently not affected by existing exploits. We will be individually in touch with customers regarding these upgrades.
However, third party extensions might be vulnerable. We are currently working with Atlassian plugin vendors to assess the situation on a case-by-case basis.
Ambientia has identified environments that are directly affected and fixes for services that require immediate action are taken care of. As stated previously, even though majority of services managed by Ambientia that include Spring Framework are not currently affected, we maintain the position that it is likely that additional attack vectors will surface, which requires upgrades in many services that are currently not affected by existing exploits. We will be individually in touch with customers regarding these upgrades.
Update
We are continuing to investigate this issue.
Investigating
During Thursday, 31st of March 2022 Ambientia has been made aware of a vulnerability in the Spring Framework, which, under certain circumstances, makes it possible for unauthenticated attackers to execute code on remote systems.
We are working to fully understand the impact of this vulnerability to systems managed by Ambientia. Thus far we have concluded that the particular deployment scenario for which the exploit is circulating does not largely fit our deployment model of Spring applications. Deployments that still run on Java 8 are also not affected, as this issue is rooted in changes introduced in Java 9.
We are closely monitoring the situation and will implement any fixes, mitigations and upgrades suggested by our technology vendors. We are also planning to upgrade any and all systems utilizing affected Spring Framework versions to a fixed version, since it is likely that additional attack vectors will surface. We will directly contact our customers whose systems require upgrades.
We have also protected services with Cloudflare's Web Application Firewall, which already has filtering rules available to mitigate the vulnerability. Note that this only affects customers who have an active Cloudflare subscription in place.
We are working to fully understand the impact of this vulnerability to systems managed by Ambientia. Thus far we have concluded that the particular deployment scenario for which the exploit is circulating does not largely fit our deployment model of Spring applications. Deployments that still run on Java 8 are also not affected, as this issue is rooted in changes introduced in Java 9.
We are closely monitoring the situation and will implement any fixes, mitigations and upgrades suggested by our technology vendors. We are also planning to upgrade any and all systems utilizing affected Spring Framework versions to a fixed version, since it is likely that additional attack vectors will surface. We will directly contact our customers whose systems require upgrades.
We have also protected services with Cloudflare's Web Application Firewall, which already has filtering rules available to mitigate the vulnerability. Note that this only affects customers who have an active Cloudflare subscription in place.