Spring Framework vulnerability in Referenceccdaservice.war - Mitigation?

[Sundar P Narayanan]

Hello,

We have local installs of the Reference CCDA Validator with the Referenceccdaservice.war file for CDA validation purposes . 

Our company's security team reached out to us stating "Rapid7 Insight" scan flagged a security vulnerability as follows on Referenceccdaservice.war

"Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.12.19, and older versions when running on JDK 9 or above and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable to remote code execution due to an unsafe data binding used to populate an object from request parameter to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the org apache.catalina.values.AccessLogValue class through the classLoader with parameters such as the following: class.module.classLoader.resources.context.parent.pipeline.suffix.first = .jsp, an unethical attacker can gain remote code execution"

Initially, we hoped that we can can simply take the latest war file y'all have 3.1.71 from sept 25.  But upon checking it's pom file, it appears it is still using spring and older framework which is flagged as vulnerable.

...

<dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework</groupId>
                <artifactId>spring-framework-bom</artifactId>
                <version>4.3.30.RELEASE</version>
                <type>pom</type>

Do you have plan to release a newer war which addresses this vulnerability? OR is one already available from y'all (in case we aren't looking in the right place)?

Thank you.

Sundar

[Kim Poletti]

Hi - Thanks for reaching out. This has been logged for review and a member of the team will reach out in the near future.

[Sundar P Narayanan]

Thanks, you do you have a link to the issue please?

[Austin Moody]

We have an item in the backlog to move to a new version of the Spring Framework.   I'll update here when we see what release that update will come out in.

[Brennon Bohol]

In the meantime regarding Sundar's request, are there any suggested upgrades that could be installed on the machine without breaking the application/service that could help mitigate this vulnerability?  

Thanks,

Brennon Bohol

Veradigm Program Manager

[Brennon Bohol]

Any update regarding the above?

[Dan Brown SITE]

Hi,

We intend to make the update when we have time as per our priorities and time available. However, this is an an open source project and all of the code and dependencies are made available freely online. If you would like to update Spring, feel free to fork the project and do so. You would just need to update the pom to your desired version, and adjust any code as needed (if needed). After that, if you want it integrated back into the main repo s before we get to it, feel free to make a PR.

Otherwise, no, I can't think of anything you could install on your machine. 

Austin can link you to the ticket, if needed. I'm not sure how it will help, though.

Best of luck,

Thanks,

Dan

[James Spillman]

The reference validator has been updated to spring 5.3.39, which is the latest free release of spring 5. Locking this thread.