The following page contains information regarding the critical RCE vulnerability (CVE-2022-22965, or Spring4Shell) that has been discovered in the Spring Framework. The vulnerability affects applications based on Spring MVC and Spring WebFlux that meet both of the following criteria:
- The application uses JDK 9+.
- The application runs on Tomcat as a WAR deployment.
Applications deployed using a Spring executable jar (embedded Servlet container or reactive web server) are therefore not directly impacted.
Below you may find details on which Ataccama versions are affected and how to mitigate the vulnerability in your specific configuration.
This family of versions is not affected by CVE-2022-22965 as WAR deployment is not used except for DQIT and MANTA.
If you are using DQIT module or MANTA, we recommend upgrading Tomcat to version 9.0.62 as a form of immediate protection. If you are using both DQIT and MANTA, both Tomcat instances must be upgraded. Alternatively, you can upgrade MANTA directly using a patched release, which can be provided on request for self-managed deployments.
We have added another security layer to our new release 13.7.0, which contains a patched version of the Spring framework and is now available for upgrade.
This family of versions is affected by CVE-2022-22965.
This does not include Ataccama ONE PaaS instances as they use Java 8.
To remediate the vulnerability, we recommend upgrading Tomcat to version 9.0.62 as a form of immediate protection. If you are using MANTA, make sure to upgrade Tomcat instances for both Ataccama software and MANTA.
Our new release 12.9.1 containing further fixes, namely setting Disallowed Fields as suggested by Spring, is now available for upgrade.
This family of versions is not affected as it uses Java version 8. If you do not upgrade your Java version, the application remains safe from the Spring4Shell vulnerability. If you run on Java 9+, we recommend downgrading to Java 8.
In general, we strongly recommend upgrading to a newer version of Ataccama software.