Spring RCE Vulnerability

The SnapLogic platform is not impacted by the Spring4Shell vulnerability reported 3/31/2022 in the Spring Java libraries. The SnapLogic platform does not use spring-core or spring-cloud-function libraries. Although a limited number of Snaps have transitive dependencies on the spring-core library, these Snaps do not use the libraries in a manner that is vulnerable to this exploit. We will further evaluate these Snaps and make Snap patches available if required.

SnapLogic will continue to monitor this issue and update this thread when there are updates.

1 Like

@dmiller, thanks for keeping this update, It seems like to be, the only one snap with dependency on the Spring Core library is MongoDB, though it has no impact looks like but better to have spring core higher version as recommended since we are using java 11 and it supports spring core 5.1 onwards.

Thanks,
Sanjay

We wanted to provide an update regarding the Spring Library vulnerabilities ( CVE-2022-22950 , CVE-2022-22965 , CVE-2022-22968 ) as of today. Regarding all of the recently identified Spring Library vulnerabilities, we have verified through static code analysis and review of the spring blog post that SnapLogic code is not vulnerable to the attack documented in the CVEs. We are working to update our libraries to the latest version for all enhancement and other security fixes, which will specifically impact the MongoDB and Twitter snap packs. We do not foresee any issues in updating these libraries within our code base and will provide further guidance and information as patches become available.