Is Radiant Logic Impacted by SPRING4SHELL (CVE-2022-22965)
SPRING4SHELL (CVE-2022-22965) - Radiant Logic is NOT impacted
This is from Spring and contains a section on "Am I impacted" as well as mitigation techniques.
Per them in the "Am I impacted" section:
"Am I Impacted?
These are the requirements for the specific scenario from the report:
1. JDK 9 or higher
2. Apache Tomcat as the Servlet container.
3. Packaged as a traditional WAR (in contrast to a Spring Boot executable jar).
spring-webmvc or spring-webflux dependency.
4. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.
What this means to Radiant Logic
1.) We are not on JDK9 or higher, we are on JDK8.
2.) We do not use Tomcat, we use Jetty.
3.) We are not packaging Spring as a WAR.