Vulnerability on Spring framework

[jenriquesoriano]

Dear INSPIRE Community,

a recent vulnerability (CVE-2022-22965) has been detected in the use of Spring Framework on JDK 9+ that makes it vulnerable to remote code execution (RCE) via data binding.
This vulnerability requires the following conditions to be met:

• Apache Tomcat is used as the web application server
• the application is deployed as a WAR file
• the application is based on the Java Spring Framework
• Java 9+ is used

We would like to clarify that in the case of INSPIRE Reference Validator, it is not affected by this vulnerability, nor are the distributed components, since they are deployed with Java 8 and Jetty as a servlet container.

On the other hand, we want to communicate it to those users who may use a different environment and eventually be deploying on Java 9+ and Apache Tomcat, recommending to review their architecture in order to assess its potential impact.

We remain at your disposal for any questions or additional information you may need.

Best regards,