Information about Spring4Shell vulnerability CVE-2022-22965 in the context of WebOffice – VertiGIS Support

VertiGIS uses this article page to provide information about the critical vulnerability CVE-2022-22965, known as Spring4Shell, disclosed on March 31, 2022, and its impact in the WebOffice context.
This article will be updated as new information becomes available.

VertiGIS is currently investigating the impact of the CVE-2022-22965 vulnerability in relation to the WebOffice application and related high priority components and hereby informs about the current status:

ArcGIS Base Technology

Regarding ArcGIS base technology, VertiGIS recommends the official article by Esri Inc:

Spring Framework RCE Vulnerabilities (esri.com)

Servlet Engine Apache Tomcat

Regarding the Apache Tomcat servlet engine, VertiGIS recommends upgrading to the latest version of Apache Tomcat 9 at version 9.0.62 or higher.

WebOffice application

For the vulnerability to be exploited, Spring4Shell must be present in an unleased version in both the Tomcat servlet engine and WebOffice. Thus, if only one component is updated, the vulnerability is closed. However, VertiGIS still recommends a Tomcat update.

172798: General: Update to Spring Framework v5.3.18 as fix for critical vulnerability CVE-2022-22965 - known as Spring4Shell; Furthermore it is strongly recommended to update Apache Tomcat

WebOffice Full-Text search (FTS-Index)

Regarding the WebOffice full text search (FTS index) the statement of Apache Solr:
The engine uses Solr 8.11.1 (Java based), but there is no dependency to the Spring framework.

Therefore, no update is necessary.

Please follow this article to be informed about the current state of knowledge.

Update 1 - 04.04.2022, 14:30:

ArcGIS Basic Technology
- Latest information added
WebOffice Full-Text Search (FTS Index)
- Latest information added

ArcGIS Base Technology

Servlet Engine Apache Tomcat

WebOffice application

WebOffice Full-Text search (FTS-Index)

Related articles