IriusRisk Team
|
The Threat Modeling Experts
April 4, 2022

IriusRisk and CVE-2022-22965

IriusRisk and CVE-2022-22965

IriusRisk uses the Spring Framework version 4.3.23 that is affected by CVE-2022-22965, however, this vulnerability cannot be exploited in standard installations of IriusRisk because we use OpenJDK version 8 which is not exploitable.  

Update:  11:00 BST - Tuesday 5th April, 2022

We have implemented further mitigation since our update on Friday 1st April at 20:50 BST / 21:50 CEST:

  • We have deployed a WAF rule blocking the exploit payload
  • We have published our docker containers with the latest versions of tomcat8 and 9 that include the mitigation

If you are using our standard Docker containers in an on-premise installation, please update them to the latest ones.

These mitigations and updates will go live during our next maintenance window on all SaaS instances on Wednesday 6th April at 08:00 - 08:300 CEST.

Please reach out to your Customer Support representative should you require more detail.

If you are an onprem customer and use a non-standard installation with Java 9 or later, then action is required to mitigate the risk of compromise.

The Spring engineering team has published [1] two mitigations that make this vulnerability non exploitable, they are:

  • To use Java version 8 [2], or
  • To use Tomcat versions 10.0.20, 9.0.62, and 8.5.78 that include a mitigation for this issue at the Tomcat level.

Although we already have Java 8 in place, our engineering team will release an updated docker image with version 9.0.62 of Tomcat [3] as an additional mitigation step. Extra alerting and monitoring have been added to our SaaS instances so that we can detect and/or block any exploit attempt.

Actions Required:

  • If you are a SaaS customer:
  • No action is required.  The systems are not exploitable because of the use of Java 8, and we will upgrade the systems with the additional mitigations in place.
  • If you have an on-premises installation with the default docker images provided by IriusRisk:
  • No action is required.  An upgrade to the images will be provided shortly that contain the additional mitigations.
  • If you have an on-premises installation and are using your own JDK:
  • If you are using Java 9 or greater then action is required:
  • Switch to using Java 8, or
  • Upgrade to Tomcat versions 10.0.20, 9.0.62, and 8.5.78

See Support Notes:  

https://support.iriusrisk.com/hc/en-us/articles/5179997858577-Details-and-action-plan

References:

[1] https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative
[2] https://wiki.openjdk.java.net/display/jdk8u/Main

[3] https://tomcat.apache.org/tomcat-9.0-doc/changelog.html