<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Dear midPoint community,</p>
<div class="entry-content">
<p>We interrupt your usual programming (again) to bring you this
breaking news (again) about a dangerous and far-reaching
vulnerability. This time it is <a
href="https://tanzu.vmware.com/security/cve-2022-22965">CVE-2022-22965</a>,
a.k.a. “Spring4Shell”, a zero-day remote code execution
vulnerability in Spring framework. Similarly to Log4Shell,
midPoint is <b>not</b> vulnerable to Spring4Shell attack.
However, there are some actions that you may need or want to
take.<span id="more-8164"></span></p>
<p>MidPoint is based on Spring framework. However, midPoint is
using its own code to parse complex data structures. Therefore,
midPoint is not using the <tt>DataBinder</tt> class in a way
that would trigger the vulnerability. Moreover, the vulnerable
classloader is not used at all if you are using midPoint in
default “stand-alone” deployment mode. Therefore pretty much all
midPoint deployments should be safe. However, there may be some
risks for non-standard deployments, or heavily customized
deployments.</p>
<p>First of all, if you are still using explicit Tomcat deployment
model (deploying <tt>midpoint.war</tt> file to your Apache
Tomcat server), you should migrate your deployment to a default
<a
href="https://docs.evolveum.com/midpoint/reference/deployment/stand-alone-deployment/">stand-alone</a>
deployment. The explicit Tomcat deployment was deprecated years
ago, we have been recommending the stand-alone model all the
time. If you are still deploying to Tomcat, there is nothing to
wait for. Go stand-alone. Users running official docker images
are safe, as those are based on the default stand-alone
deployment.</p>
<p>Even though stock midPoint is not vulnerable,
heavily-customized midPoint deployments might be vulnerable,
especially if the customization includes a custom REST service.
Therefore we are including the patch in support branches in all
supported versions of midPoint. The code will be pushed to the
repositories soon after this post is published. This is an
additional measure which should secure all midPoint deployments.
If you are running heavily customized midPoint, and you are not
sure whether your customizations are vulnerable, it would be
wise to consider upgrading to the builds from the latest support
branches. As this is only an additional precaution, and we are
not considering midPoint vulnerable as such, we will not be
making special midPoint releases at this point.</p>
<p>To summarize: We are certain that the default stand-alone
deployments of midPoint are safe, and there is no action needed.
The same applies to official Docker images. MidPoint instances
that are explicitly deployed to Tomcat server are mostly likely
safe as well, however we strongly recommend switching to
stand-alone deployment as soon as possible. Heavily customized
midPoint deployments may be vulnerable if they include
vulnerable custom code. For heavily customized midPoint
deployments we recommend upgrading to the builds from latest
support branches, and immediately switch to a stand-alone
deployment model.</p>
</div>
<p>(Reposted from <a moz-do-not-send="true"
href="https://evolveum.com/midpoint-not-vulnerable-to-spring4shell/">Evolveum
blog</a>) </p>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com</pre>
</body>
</html>