The appliance runs annotator plus as a WAR in apache tomcat (tomcat-7.0.76-16.el7_9) so it seems to fit the Spring4Shell prerequisites even though I was unable to verify exploit with PoC exploit like https://github.com/tweedge/springcore-0day-en
A potential solution on our end would involve replacing the packaged version of tomcat 7 for CentOS with tomcat version 9.0.62+ which includes a mitigation
AWS marketplace scanners claim that the appliance is vulnerable to CVE-2022-22965.
Annotator Plus has a spring-beans-3.2.16 dependency vulnerable to CVE-2022-22965. spring beans is a dependency of edu.utah.bmi.nlp:fastcontext https://mvnrepository.com/artifact/org.springframework/spring-core/3.2.16.RELEASE
The appliance runs annotator plus as a WAR in apache tomcat (tomcat-7.0.76-16.el7_9) so it seems to fit the Spring4Shell prerequisites even though I was unable to verify exploit with PoC exploit like https://github.com/tweedge/springcore-0day-en
A potential solution on our end would involve replacing the packaged version of tomcat 7 for CentOS with tomcat version 9.0.62+ which includes a mitigation