Fix available for the Spring4Shell security vulnerability CVE-2022-22965

BMC Software is alerting users to the SpringShell or Spring4Shell vulnerability that requires immediate attention in BMC Helix Smart Reporting version 20.02.

A zero-day exploit for the vulnerability CVE-2022-22965 (code named Spring Shell or Spring4Shell) was publicly released on March 30, 2022.

Date: April 19, 2022

Related Topics

Issue

A detailed description of the vulnerability (CVSS v3 rating: 9.8) can be found on the Spring Framework RCE, Early Announcement page.

Please follow the BMC Security Advisory Note for further updates.

If you have any questions about the problem, contact BMC Support

We recommend that you immediately apply the fix as described in this topic.

Resolution

Verify the application version

  1. Log in to Smart Reporting with administrator permissions.
  2. Select Administration > System Information, as shown in the following image:

    administration_sr.png

  3. Verify the application version in the System Information screen, as shown in the following image:

    shell4j.png

    Important

    The affected releases for this vulnerability are from version 8.0.4 and later.

Upgrade Spring Shell in an existing Smart Reporting instance (Remediation option)

  1. Navigate to https://mvnrepository.com/ and download the .jar files specified in step 3 and step 4.
  2. Stop Smart Reporting services.
  3. From the downloaded location, copy the following files into <Installation directory>/webapps/ROOT/WEB-INF/lib folder: 
    • spring-aop-5.3.18.jar
    • spring-beans-5.3.18.jar
    • spring-context-5.3.18.jar
    • spring-context-support-5.3.18.jar
    • spring-core-5.3.18.jar
    • spring-expression-5.3.18.jar
    • spring-web-5.3.18.jar
    • spring-webmvc-5.3.18.jar 
    • spring-websocket-5.3.18.jar
  4. Copy the following files into <Installation directory>/webapps/AdminConsole/WEB-INF/lib folder: 
    • spring-aop-5.3.18.jar
    • spring-beans-5.3.18.jar
    • spring-context-5.3.18.jar
    • spring-core-5.3.18.jar
    • spring-expression-5.3.18.jar
    • spring-jcl-5.3.18.jar
    • spring-jdbc-5.3.18.jar
    • spring-tx-5.3.18.jar
    • spring-web-5.3.18.jar

  5. Remove the existing spring libraries from their respective folders. 

    Important

    The binary files in these folders will have the same file names, but a different version number (either version 5.3.9 or 5.2.7.RELEASE).

    5.2.7.R!ELEASE55.2.7.RELEASE5.2.7.RELEASE

  6. Replace the binary files with the above mentioned binaries. 

    Important

    If you do not remove the existing files, the system might not start or could still be vulnerable to the exploit.

  7. After replacing the spring binaries, restart the Smart Reporting services.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*