[midPoint] MidPoint Not Vulnerable to Spring4Shell

[Radovan Semancik]

Dear midPoint community,

We interrupt your usual programming (again) to bring you this breaking 
news (again) about a dangerous and far-reaching vulnerability. This time 
it is CVE-2022-22965 <https://tanzu.vmware.com/security/cve-2022-22965>, 
a.k.a. “Spring4Shell”, a zero-day remote code execution vulnerability in 
Spring framework. Similarly to Log4Shell, midPoint is *not* vulnerable 
to Spring4Shell attack. However, there are some actions that you may 
need or want to take.

MidPoint is based on Spring framework. However, midPoint is using its 
own code to parse complex data structures. Therefore, midPoint is not 
using the DataBinder class in a way that would trigger the 
vulnerability. Moreover, the vulnerable classloader is not used at all 
if you are using midPoint in default “stand-alone” deployment mode. 
Therefore pretty much all midPoint deployments should be safe. However, 
there may be some risks for non-standard deployments, or heavily 
customized deployments.

First of all, if you are still using explicit Tomcat deployment model 
(deploying midpoint.war file to your Apache Tomcat server), you should 
migrate your deployment to a default stand-alone 
<https://docs.evolveum.com/midpoint/reference/deployment/stand-alone-deployment/> 
deployment. The explicit Tomcat deployment was deprecated years ago, we 
have been recommending the stand-alone model all the time. If you are 
still deploying to Tomcat, there is nothing to wait for. Go stand-alone. 
Users running official docker images are safe, as those are based on the 
default stand-alone deployment.

Even though stock midPoint is not vulnerable, heavily-customized 
midPoint deployments might be vulnerable, especially if the 
customization includes a custom REST service. Therefore we are including 
the patch in support branches in all supported versions of midPoint. The 
code will be pushed to the repositories soon after this post is 
published. This is an additional measure which should secure all 
midPoint deployments. If you are running heavily customized midPoint, 
and you are not sure whether your customizations are vulnerable, it 
would be wise to consider upgrading to the builds from the latest 
support branches. As this is only an additional precaution, and we are 
not considering midPoint vulnerable as such, we will not be making 
special midPoint releases at this point.

To summarize: We are certain that the default stand-alone deployments of 
midPoint are safe, and there is no action needed. The same applies to 
official Docker images. MidPoint instances that are explicitly deployed 
to Tomcat server are mostly likely safe as well, however we strongly 
recommend switching to stand-alone deployment as soon as possible. 
Heavily customized midPoint deployments may be vulnerable if they 
include vulnerable custom code. For heavily customized midPoint 
deployments we recommend upgrading to the builds from latest support 
branches, and immediately switch to a stand-alone deployment model.

(Reposted from Evolveum blog 
<https://evolveum.com/midpoint-not-vulnerable-to-spring4shell/>)

-- 
Radovan Semancik
Software Architect
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220331/a5c6ac7c/attachment.htm>