Java Spring Core vulnerability ?

32 views
Skip to first unread message

Xavier Humbert

unread,
Mar 31, 2022, 4:41:13 AM3/31/22
to rundeck-discuss

Hi,

Java Spring Core version <= 5.3.17) and Spring Cloud versions <=3.1.6, <=3.2.2 are affected by a 0-day https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/

Is Rundeck also affected ?

Thanks,

Cheers,

Xavier 

-- 
Xavier Humbert
CRT Supervision et Exploitation de Niveau 1
Rectorat de Nancy-Metz
03 83 86 27 39
OpenPGP_0x90B78A89BCC49C10.asc
OpenPGP_signature

rac...@rundeck.com

unread,
Mar 31, 2022, 8:19:25 AM3/31/22
to rundeck-discuss
Hi Xavier,

We are evaluating this, I'll update you ASAP.

Greetings!

rac...@rundeck.com

unread,
Apr 1, 2022, 12:36:49 PM4/1/22
to rundeck-discuss
Hi Xavier,

Currently doesn't affect Rundeck because that exploitable mode isn't used, anyway, the Spring Core library will be updated, here is the GitHub thread, and here is the Pull Request.

Hope it helps!

Xavier Humbert

unread,
Apr 2, 2022, 6:07:05 AM4/2/22
to rundeck...@googlegroups.com

Thank you for the quick update !

Cheers,

Xavier


Le 4/1/22 18:36, rac...@rundeck.com a écrit :
--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/f94e060d-1095-4a31-803d-cbf752649f4en%40googlegroups.com.
OpenPGP_0x90B78A89BCC49C10.asc
OpenPGP_signature
Reply all
Reply to author
Forward
0 new messages