'Spring4Shell: Security Analysis of the latest Java RCE '0-day' vulnerabilities in Spring (CVE-2022-22965 and CVE-2022-22963)

Regarding the "spring4shell" vulnerability in https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/ . Does anyone know if this vulnerability affects JFrog Artifactory Cloud or On-Premise versions?

Have searched support but have not seen an official response as yet hence asking the question more publicly.

artifactoryjfrog


Solution 1:[1]

The JFrog Platform (including Artifactory) is not affected by the Spring4Shell vulnerability (CVE-2022-22965) and Spring Cloud Function vulnerability (CVE-2022-22963),

This covers both the cloud version and the on-prem one (which share the same code base).

EDIT: Added link to a detailed remediation cookbook. Thx @tomek-tajne

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

How to move artifacts in artifactory?

Maven Could not resolve dependencies (Return code is: 409 , ReasonPhrase:Conflict)

Should we use one Azure Container Registry (ACR) for all the products in development or one ACR per product?

Artifactory test connection from jenkins gets failed with timed out

Kubernetes and Wildcard DNS records

Reuse object/property in different stages of a declerative pipeline in Jenkins

cUrl vs Invoke-WebRequest

Copy latest artifact from one path to another

Android Studio can't connect to JFrog Artifactory

How to get packages on Ubuntu machine from local artifactory server

How to upload Maven packages and build info to Artifactory from Jenkins

How can I change mimetypes setting in Artifactory Cloud

JFrog: how to remove a version of an npm package?

How do I remove corporate proxy? I have tried everything, nothing works

What is package information in Jfrog artifactory and how to populate it?