Spring RCE Vulnerability (March 2022)
Summary
This page gives an overview of the impact of the Spring RCE security exploit discovered in March 2022 on the Flowable products.
Related CVE: https://tanzu.vmware.com/security/cve-2022-22965
Who is affected?
Customers using Flowable Design/Control/Work/Engage/Orchestrate
- Deployed as a WAR file
- Running on Tomcat
- Running with JDK 9 (or higher)
When these requirements are met, all previous versions of Flowable products are affected.
Timeline (recent first)
- 1 April 2022: New versions of Flowable products released, containing a fix for the exploit.
- 31 March 2022: Disclosure of a Spring RCE security exploit, that was leaked online ahead of its CVE publication. The Spring team published patch version releases of the Spring framework and Spring Boot.
Latest update
Update 13 Apr 2022
On April 13th 2022 a new CVE related to the previous one was disclosed by the Spring team. The rating for the CVE is low: https://tanzu.vmware.com/security/cve-2022-22968.
After analysing the necessary conditions in the linked post, we've concluded the Flowable products are not affected.
Update 01 Apr 2022
Yesterday, the Spring team published a blog detailing a RCE exploit for the Spring and Spring Boot framework. New patch version releases of Spring and Spring Boot were released the same day.
In the same blog, a workaround was published. However, this workaround needs custom code and most likely not easily applicable for many customers as it involves adding a custom new bean to the configuration.
As such, Flowable has released following new versions of Flowable Design/Control/Work/Engage:
- 3.11.5
- 3.10.10
- 3.9.14
These versions included the latest patch version of the Spring and Spring Boot framework.
Customers using Flowable Design/Control/Work/Engage are advised to upgrade to these versions immediately.
Customers using Flowable Orchestrate that are using Flowable with Spring Boot are advised to override the Spring Boot dependency version to 2.5.12 or 2.6.6 (depending on whether using 2.5.x or 2.6.x).
Customers using Flowable Orchestrate that are using Flowable with Spring (not Spring Boot) are advised to override the Spring dependency version to 5.3.18 or 5.2.20 (depending on whether using 5.3.x or 5.2.x).
Alternative Mitigations
The Spring Team has also documented two mitigations, in case an immediate upgrade is not possible:
- Downgrade to JDK 8
- or upgrade to Apache Tomcat 10.0.20, 9.0.62 or 8.5.78
Do note that there might be potentially other currently unknown attack vectors not covered by these mitigations. As such, the advice to upgrade the Flowable products to the latest versions or override Spring (Boot) dependency versions remains in place.