Closed philipjonsen closed 4 months ago
New log4shell exploit, could effect any apache/cisco, could effect hashgraph/hedera-services:hedera-node/pom.xml and test resps.
.
Describe the bug Could have similar likeness the the log4j affecting apache/cisco software and hardware.
Expected behavior Have similar behavior as log4j. Affecting all apache/cisco out there.
Operating System Linux
Additional context Just a quick early warning to look up this and keep eyes out for future patches/updateds, might also exist patch/hotfix for this.
How to fix?
Upgrade org.springframework:spring-beans to version 5.2.20, 5.3.18 or higher.
https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15
https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html
mainnet, testnet
Version 5.2.20, 5.3.18 or higher.5.2.20, 5.3.18 or higher
Linux
https://github.com/Kirill89/CVE-2022-22965-PoC
Thanks @philipjonsen! We only have Spring on our classpath because of a test client dependency that isn't actually needed itself. Created https://github.com/hashgraph/hedera-services/issues/3077 to eliminate.
Description
New log4shell exploit, could effect any apache/cisco, could effect hashgraph/hedera-services:hedera-node/pom.xml and test resps.
Steps to reproduce
.
Additional context
Describe the bug Could have similar likeness the the log4j affecting apache/cisco software and hardware.
Expected behavior Have similar behavior as log4j. Affecting all apache/cisco out there.
Operating System Linux
Additional context Just a quick early warning to look up this and keep eyes out for future patches/updateds, might also exist patch/hotfix for this.
How to fix?
Upgrade org.springframework:spring-beans to version 5.2.20, 5.3.18 or higher.
https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15
https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html
Hedera network
mainnet, testnet
Version
Version 5.2.20, 5.3.18 or higher.5.2.20, 5.3.18 or higher
Operating system
Linux