Summary
A zero-day exploit for a vulnerability code-named Spring4Shell (CVE-2022-22965) was publicly released on March 31st, 2022. A detailed description of the vulnerability can be found on the SpringBoot page.
The Centreon Security Group has conducted an initial assessment across the codebase to determine the impact of this vulnerability.
Impact
Centreon components that could have been affected are the ones that leverage the Spring Boot framework in Java code:
-
Centreon MAP server
No other component (including opensource) is affected.
No Centreon Cloud service is affected.
State of investigation
MAP servers in all supported versions (20.10, 21.04, 21.10) use a Spring Boot framework which may be affected by the vulnerability (2.3).
However, the vulnerability only affects applications with:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency
MAP does not meet those requirements as it does not use Tomcat and is packaged as JAR.
MAP servers are not affected by Spring4Shell.
Next steps
A patched version of Spring has been released (2.6.6) and will be leveraged through new minor versions of MAP.
This advisory will be updated as additional information becomes available. Please make sure to subscribe to updates.