WaveMaker Docs

WaveMaker Docs

  • Get started
  • Widgets
  • Mobile
  • How-to
  • Enterprise
  • Releases
  • Blog
  • Sign-in

›All Blog Posts

All Blog Posts

  • Mutual TLS Support in REST APIs
  • Monitoring performance and health of deployed WaveMaker app
  • Mitigating Spring Zero-day Vulnerability CVE-2022-22965
  • WaveMaker application pom.xml
  • Upgrading saml to saml2-service-provider
  • Archiving WaveMaker 9 Projects
  • URL Change in WaveMaker Android WebView
  • Announcement about Angular 11 Update
  • Mitigating Log4J 2 Vulnerability CVE 2021 44228
  • Ending Support of WaveMaker 9 Projects
  • Git Branching Strategy
  • Important Announcement about Angular 10 Update
  • Accessibility Support in WaveMaker
  • Generating .aab files using wm-cordova-cli or AppChef
  • WaveMaker Studio enables faster database imports
  • Integrate SAP HANA Database with WaveMaker
  • Redshift Database Integration
  • Important Announcement about Changes to Documentation Domain
  • WaveMaker Releases 10.7 Version
  • Theme Builder with some coding (Build + Edit)
  • Understanding Scaling of WaveMaker Applications
  • Automatically Import your Website Branding Styles into a Theme
  • Certificate Pinning Case Study
  • Cordova 10.0.0 Upgrade
  • WaveMaker Releases 10.6 Version
  • Retain UI State in WaveMaker Apps
  • Theme builder is ready with a new update
  • PostgREST OpenAPI support in WaveMaker
  • Fully automated and scalable test execution using k8s
  • New file picker for mobile apps - Improvements in UI to select files in mobile
  • WaveMaker releases 10.5 version
  • Deliver faster applications with WaveMaker!
  • GraphQL in a Micro Services Architecture
  • Build Themes for WaveMaker Apps Without Any Coding
  • COVID-19 Visualization using WaveMaker - Part 2
  • COVID-19 Visualization using WaveMaker - Part 1
  • WaveMaker Integrates with DigitalOcean Kubernetes for App Deployments
  • Deployment Experience made better!
  • OpenAPI support in WaveMaker
  • WaveMaker platform is updated to use WKWebView.
  • Deliver WaveMaker Apps as Micro Frontend Modules
  • All-new WaveMaker docs with a powerful Search
  • Welcome to the WaveMaker Developers Blog

Mitigating Spring Zero-day Vulnerability CVE-2022-22965

April 5, 2022

Uday Shankar


A new zero-day vulnerability was reported in the Spring library on 29th March 2022, affecting the library versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. The vulnerability impacts Spring MVC applications running on JDK 9+.

Spring has released a new version on 31st March 2022, 5.3.18, which fixes the vulnerability. The specific exploit requires the application to run on Tomcat as a WAR deployment. The blog post added by Spring has more details about the vulnerability.

Is WaveMaker Application Affected?

WaveMaker 10 Apps are compiled using Java 8 and supported to deploy on Java 8 only. So ideally, WaveMaker apps are not affected. Applications deployed on Java 9+ are maybe vulnerable if the controller methods use @ModelAttribute or have no annotation. WaveMaker generated controllers either use @RequestParam, @PathParam or @RequestBody. So, they are not affected by this vulnerability.

note

We recommend mitigating your application using one of the steps mentioned below in the blog as an instant fix. WaveMaker will release a hotfix to include the Spring version update very soon.

Risk Mitigation

Below are two ways that you can follow to mitigate the risk against CVE-2022-22965 before the scheduled hotfix release.

Upgrade the Spring Version Manually in your pom.xml

Add the latest version of Spring framework bom 5.3.18 as the first dependency under the <dependencies> section of <dependencyManagement> section. Add the following dependencies as specified below.

<dependency>
 <groupId>org.springframework</groupId>
 <artifactId>spring-framework-bom</artifactId>
 <version>5.3.18</version>
 <type>pom</type>
 <scope>import</scope>
</dependency>
note

Ensure it is the first dependency, and it is before the wavemaker-app-runtime-services dependency.

Upgrade Tomcat Version

Upgrade the Tomcat version to either 9.0.62 or 8.5.78, closing the attack vector on Tomcat's side.

Tweet
Recent Posts
  • Is WaveMaker Application Affected?
  • Risk Mitigation
    • Upgrade the Spring Version Manually in your pom.xml
    • Upgrade Tomcat Version
WaveMaker
  • PRICING
  • PARTNERS
  • CUSTOMERS
  • ABOUT US
  • CONTACT US
Terms of Use | Copyright © 2013-2023 WaveMaker, Inc. All rights reserved.