search

hashgraph / hedera-services

Crypto, token, consensus, file, and smart contract services for the Hedera public ledger
Apache License 2.0
297 stars 133 forks source link

Spring4shell - New exploit very similar to log4j out in the wild. #3075

Closed philipjonsen closed 4 months ago

philipjonsen commented 2 years ago

Description

New log4shell exploit, could effect any apache/cisco, could effect hashgraph/hedera-services:hedera-node/pom.xml and test resps.

Steps to reproduce

.

Additional context

Describe the bug Could have similar likeness the the log4j affecting apache/cisco software and hardware.

Expected behavior Have similar behavior as log4j. Affecting all apache/cisco out there.

Operating System Linux

Additional context Just a quick early warning to look up this and keep eyes out for future patches/updateds, might also exist patch/hotfix for this.

How to fix?

Upgrade org.springframework:spring-beans to version 5.2.20, 5.3.18 or higher.

https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15

https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html

Hedera network

mainnet, testnet

Version

Version 5.2.20, 5.3.18 or higher.5.2.20, 5.3.18 or higher

Operating system

Linux

philipjonsen commented 2 years ago

https://github.com/Kirill89/CVE-2022-22965-PoC

tinker-michaelj commented 2 years ago

Thanks @philipjonsen! We only have Spring on our classpath because of a test client dependency that isn't actually needed itself. Created https://github.com/hashgraph/hedera-services/issues/3077 to eliminate.