A new zero-day vulnerability was reported in the Spring library on 29th March 2022, affecting the library versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. The vulnerability impacts Spring MVC applications running on JDK 9+.
Spring has released a new version on 31st March 2022, 5.3.18, which fixes the vulnerability. The specific exploit requires the application to run on Tomcat as a WAR deployment. The blog post added by Spring has more details about the vulnerability.
Is WaveMaker Application Affected?
WaveMaker 10 Apps are compiled using Java 8 and supported to deploy on Java 8 only. So ideally, WaveMaker apps are not affected. Applications deployed on Java 9+ are maybe vulnerable if the controller methods use @ModelAttribute or have no annotation. WaveMaker generated controllers either use @RequestParam, @PathParam or @RequestBody. So, they are not affected by this vulnerability.
We recommend mitigating your application using one of the steps mentioned below in the blog as an instant fix. WaveMaker will release a hotfix to include the Spring version update very soon.
Risk Mitigation
Below are two ways that you can follow to mitigate the risk against CVE-2022-22965 before the scheduled hotfix release.
Upgrade the Spring Version Manually in your pom.xml
Add the latest version of Spring framework bom 5.3.18 as the first dependency under the <dependencies> section of <dependencyManagement> section. Add the following dependencies as specified below.
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>5.3.18</version>
<type>pom</type>
<scope>import</scope>
</dependency>
Ensure it is the first dependency, and it is before the wavemaker-app-runtime-services dependency.
Upgrade Tomcat Version
Upgrade the Tomcat version to either 9.0.62 or 8.5.78, closing the attack vector on Tomcat's side.