RealObjects is actively responding to the reported remote code execution vulnerability CVE-2022-22965 in the Spring Framework Java library aka “Spring4Shell” (https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/). We are investigating and analyzing if and how our products and services may be impacted by this vulnerability.
As of now we have identified, that part of our products (PDFreactor Web Service) might be affected by this vulnerability. We are planning to mitigate this with a new PDFreactor 11 release with updated and no longer affected Spring Framework dependencies soon.
Important: When using PDFreactor as a Java library, you are not affected by CVE-2022-22965.
Until this release is available or if you are using an older version of PDFreactor, the vulnerability can be mitigated by the customer by replacing the affected libraries (at your own discretion, list of library files below) in “$InstallDir/jetty/lib/ext/core” with unaffected versions.
spring-aop-5.x.yy.jar
spring-beans-5.x.yy.jar
spring-context-5.x.yy.jar
spring-core-5.x.yy.jar
spring-expression-5.x.yy.jar
spring-web-5.x.yy.jar
For PDFreactor 10.2 we recommend to update to Spring Framework 5.2.20
For PDFreactor 11 we recommend to update to Spring Framework 5.3.18
For PDFreactor versions below 10.2 we recommend to update to the latest major version or at least PDFreactor 10.2 and then replacing the affected Spring Framework libraries as mentioned above.
You can download the required files here: https://repo.spring.io/ui/native/release/org/springframework/spring/