oss-sec mailing list archives

Re: SpringShell and recent OpenJDK updates

From: "Kevin Decherf" <kevin () kdecherf com>
Date: Thu, 31 Mar 2022 15:33:18 +0200

On Wed, Mar 30, 2022, at 22:15, Alan Coopersmith wrote:

On 3/30/22 11:31, Jeffrey Walton wrote:

Hi Everyone,

I saw Ubuntu patched OpenJDK 11 recently. [1] Was that due to SpringShell? [2]


The Spring Framework is separate from OpenJDK.  (Perhaps you were thinking of
the Swing framework, which is part of OpenJDK?)

The latest I've seen on SpringShell suggests it was dropped without warning
as a zero-day: https://bugalert.org/content/notices/2022-03-30-spring.html


Here are official announcements regarding the Spring Framework RCE:
- https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
- https://tanzu.vmware.com/security/cve-2022-22965

-- 
Kevin Decherf - @Kdecherf
GPG 0x108ABD75A81E6E2F
https://kdecherf.com

Current thread:

SpringShell and recent OpenJDK updates Jeffrey Walton (Mar 30)
- Re: SpringShell and recent OpenJDK updates Seth Arnold (Mar 30)
- Re: SpringShell and recent OpenJDK updates Alan Coopersmith (Mar 30)
  - Re: SpringShell and recent OpenJDK updates Kevin Decherf (Mar 31)