Page History
[updated on 2022 03 07 1806 06 16:00 GMT+1]
For more information, see spring blog and CVE-2022-22965.
Table of Contents |
---|
Change log
Timestamp | Description |
---|---|
2022 06 06 16:00 GMT+1 | 2021x Refresh2 HF3 (hot fix) with Spring Framework 5.3.18 is released as Remediation option. |
2022 04 22 16:00 GMT+1 | Added Remediation option for Collaboration tools 2021x GA version. |
2022 04 04 182021 12 16 14:00 GMT+1 | First publication. CollaboratorCollaboration tools affected, see Remediation. |
Spring Framework (Spring4Shell) version 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 is a part of the following products. Action to perform.
CATIA Magic portfolio
- Magic Collaboration Studio (release 19.0 SP4, 2021x GA, 2021x Refresh1, 2021x Refresh2)
No Magic portfolio
- Teamwork Cloud (release 19.0 SP4, 2021x GA, 2021x Refresh1, 2021x Refresh2)
- Cameo Collaborator for Teamwork Cloud (release 19.0 SP4, 2021x GA, 2021x Refresh1, 2021x Refresh2)
To Do: You have action to perform. See Remediation.
Remediation
Remediation instructions for collaboration tools (Magic Collaboration Studio, Teamwork Cloud, Cameo Collaborator for Teamwork Cloud) 2021x Refresh2
Option 1
Download and install 2021x Refresh2 HF3 (hot fix). This is a new full 2021x Refresh2 version build with Spring Framework version 5.3.18.
See Downloading installation files
Option 2
Before starting with remediation, please download https://repo.spring.io/artifactory/release/org/springframework/spring/5.3.18/spring-5.3.18-dist.zip
...
h. compress the content of extracted .war file
i. rename .zip with the .war file name, for example: admin.war
j. replace original .war file with modified one in <webapp.install.dir>/webapps.
k. repeat the modification for all .war files.
l. start WebApp service.
Remediation instructions for collaboration tools (Magic Collaboration Studio, Teamwork Cloud, Cameo Collaborator for Teamwork Cloud) 2021x Refresh1
Before starting with remediation, please download https://repo.spring.io/artifactory/release/org/springframework/spring/5.3.18/spring-5.3.18-dist.zip
...
Jar file to delete | Replace with |
spring-aop-5.13.70.jar | spring-aop-5.3.18.jar |
spring-beans-5.13.70.jar | spring-beans-5.3.18.jar |
spring-context-5.13.70.jar | spring-context-5.3.18.jar |
spring-context-support-5.13.70.jar | spring-context-support-5.3.18.jar |
spring-core-5.13.70.jar | spring-core-5.3.18.jar |
spring-expression-5.13.70.jar | spring-expression-5.3.18.jar |
spring-jcl-5.13.70.jar | spring-jcl-5.3.18.jar |
spring-web-5.13.70.jar | spring-web-5.3.18.jar |
spring-webmvc-5.13.70.jar | spring-webmvc-5.3.18.jar |
d. compress the content of extracted webapp.war file
e. rename .zip with the webapp.war
f. replace original webapp.war file with modified one in <webapp.install.dir>/webapps
g. start WebApp service.
Remediation instructions for collaboration tools (Magic Collaboration Studio, Teamwork Cloud, Cameo Collaborator for Teamwork Cloud) 2021x GA
Before starting with remediation, please download https://repo.spring.io/artifactory/release/org/springframework/spring/5.3.18/spring-5.3.18-dist.zip
The required files for remediation could be found in spring-framework-5.3.18/libs folder.
- Stop WebApp service
- Go to <webapp.install.dir>/webapps
- Delete folder webapp/
- Copy webapp.war file to a temp directory. In the temp directory:
- unzip webapp.war file
- go to webapp/WEB-INF/lib
- perform the modification:
Jar file to delete | Replace with |
spring-aop-5.2.5.jar | spring-aop-5.3.18.jar |
spring-beans-5.2.5.jar | spring-beans-5.3.18.jar |
spring-context-5.2.5.jar | spring-context-5.3.18.jar |
spring-context-support-5.2.5.jar | spring-context-support-5.3.18.jar |
spring-core-5.2.5.jar | spring-core-5.3.18.jar |
spring-expression-5.2.5.jar | spring-expression-5.3.18.jar |
spring-jcl-5.2.5.jar | spring-jcl-5.3.18.jar |
spring-web-5.2.5.jar | spring-web-5.3.18.jar |
spring-webmvc-5.2.5.jar | spring-webmvc-5.3.18.jar |
d. compress the content of extracted webapp.war file
e. rename .zip with the webapp.war
f. replace original webapp.war file with modified one in <webapp.install.dir>/webapps
g. start WebApp service.
Remediation instructions for collaboration tools (Magic Collaboration Studio, Teamwork Cloud, Cameo Collaborator for Teamwork Cloud) 19.0 SP4
Before starting with remediation, please download https://repo.spring.io/artifactory/release/org/springframework/spring/5.3.18/spring-5.3.18-dist.zip
...
Jar file to delete | Replace with |
spring-aop-5.31.7.0RELEASE.jar | spring-aop-5.3.18.jar |
spring-beans-5.31.7.0RELEASE.jar | spring-beans-5.3.18.jar |
spring-context-5.31.7.0RELEASE.jar | spring-context-5.3.18.jar |
spring-context-support-5.1.37.0RELEASE.jar | spring-context-support-5.3.18.jar |
spring-core-5.31.7.0RELEASE.jar | spring-core-5.3.18.jar |
spring-expression-5.1.37.0RELEASE.jar | spring-expression-5.3.18.jar |
spring-jcl-5.1.37.0RELEASE.jar | spring-jcl-5.3.18.jar |
spring-web-5.31.7.0RELEASE.jar | spring-web-5.3.18.jar |
spring-webmvc-5.31.7.0RELEASE.jar | spring-webmvc-5.3.18.jar |
d. compress the content of extracted webapp.war file
e. rename .zip with the webapp.war
f. replace original webapp.war file with modified one in <webapp.install.dir>/webapps directory
g. start WebApp service.
...