2022: Security Advisory: Spring4Shell Java Spring Framework

Summary

NT-ware is aware of a new remote code execution vulnerability affecting the Java Spring framework. Named Spring4Shell and tracked under CVE-2022-22965, this vulnerability is in the Java ‘Spring’ library. We actioned our security and development team to investigate, mitigate and communicate our activities. The result of these activities have concluded and are listed below. As it is early in the release of this vulnerability, the information below is subject to change if new exploits are identified.

Advisory release date

4th April 2022

Product Affected

uniFLOW sysHUB

Products Reviewed

NT-ware Web Sites, uniFLOW Server, uniFLOW Online and PRISMAsatellite

CVE

CVE-2022-22965

Severity

<NT-ware rates the severity level of this vulnerability as …>

Summary of Vulnerability

NT-ware - company

  • All public-facing sites and services have been reviewed and scanned by vulnerability assessment tools and human inspection.

  • Some internal services have been identified as utilizing Spring4Shell. We have taken immediate steps to patch or place mitigation controls in place.

uniFLOW

None of the uniFLOW components are affected:

  • uniFLOW Server, Remote Print Servers, SmartClients, Internet Gateway, Web Submission, and supporting services.

  • uniFLOW Embedded Applets for:

    • Canon MEAP devices

    • varioPrint 140 devices

    • ColorWave/PlotWave printers

    • ScanFront devices

    • Xerox/HP/Samsung/Konica Minolta/Brother/Sharp/OKI/EPSON/Lexmark devices

  • Devices connected with uniFLOW Release Stations

uniFLOW Online/uniFLOW Online Express

None of the uniFLOW Online/uniFLOW Online Express components are affected:

  • The platform itself, SmartClients, and supporting services

  • uniFLOW Embedded Applets for Canon MEAP devices

  • Devices connected with uniFLOW Release Stations

PRISMAsatellite

None of the PRISMAsatellite components are affected.

Affected Versions

Please Note: The ‘Affected’ versions are NOT affected by the vulnerability and cannot be exploited. We list them as the components are visible if scanned and might present as a false positive.

Product

Affected versions

COSMOS V2.9 and sysHUB 2021

uniFLOW sysHUB

None of the uniFLOW sysHUB (Cosmos) components are affected:

  • While the Spring library is present in the uniFLOW sysHUB (Cosmos) product, we can confirm it is NOT affected by this vulnerability.

    • COSMOS Versions < 2.9 use Java8, a prerequisite is >= Java9

    • Since COSMOS V2.9 and sysHUB 2021, Java11 has been used, but the following bullet points exclude the vulnerability

       

      • All versions of COSMOS and sysHUB use Jetty instead of Tomcat for the servlet engine

      • All standard web applications are NOT deployed as WAR files

      • Spring-webflux is NOT used in any of the standard web applications.

     

  

Fixed Versions

Product

Fix versions

  • Version sysHUB 2022.1

  • Out of an abundance of caution, we will be taking further actions moving forward. Please note there is NO need to perform any patching of existing systems/installations to mitigate the known listed exploits.

    • We will update Spring library to the latest version with sysHUB 2022.1

    • The capability for build pipeline to deploy WAR files will be disabled with sysHUB 2022.1 as well

 

What You Need to Do

Please review the provided information and upgrade accordingly as needed.

Mitigation

No mitigations are required as we are not directly exploitable.

Support

If you have further questions, please contact your Canon / Canon Business Partner representative.