CVE-2022-22965

Cloud CMS API Container

Cloud CMS API docker containers version 3.2.75 and prior ship with a version of the Spring Framework that has been
identified to contain a vulnerability. This vulnerability is identified as CVE-2022-22965 and the vulnerability report
can be found here:

https://tanzu.vmware.com/security/cve-2022-22965

We have assessed this vulnerability and recommend that our customers either upgrade to Cloud CMS 3.2.76 or apply the
workaround recommended in this docoument.

Upgrade to 3.2.76

The safest way to be sure you're protected against CVE-2022-22965 is to upgrade to Cloud CMS 3.2.76.

You can learn about Cloud CMS 3.2.76 here:
https://gitana.io/release.html?name=3.2.76

Cloud CMS 3.2.76 includes the following adjustments which innoculate against CVE-2022-22965:

  1. Apache Tomcat was upgraded to 9.0.62
  2. Our usage of the Spring Framework includes extra provision to explicitly disable class-field access via Spring web bindings.

These adjustments were performed in accordance with the Spring team's own recommendation as provided here:

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Workaround

If you cannot upgrade to 3.2.76 immediately, the following guidance is provided to achieve a workaround.

Upgrade Tomcat

To upgrade to version 9.0.62, you will need to adjust the Dockerfile used to launch your Cloud CMS API instance.

Generally, everyone customizes this file and so you will want to make adjustments that best fit the needs of your
environment.

Here is the Dockerfile that we provide with our sample kits for the Quickstart package:

FROM cloudcms/api-server:3.2.75

MAINTAINER Cloud CMS <support@cloudcms.com>

# copy the custom properties and classes into place
# this includes the license file in the ./classes/gitana/license directory
COPY ./classes/ /opt/tomcat/shared/classes/

We can adjust it to install Tomcat 9.0.62 like this:

FROM cloudcms/api-server:3.2.75

MAINTAINER Cloud CMS <support@cloudcms.com>

###################################################################################################################
RUN mkdir /tmp/_tmp_webapps \
 && mkdir /tmp/_tmp_conf \
 && mv /opt/tomcat/webapps/* /tmp/_tmp_webapps \
 && mv /opt/tomcat/conf/server.xml /tmp/_tmp_conf \
 && rm -r /opt/tomcat \
 && wget -N https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62.tar.gz -O /tmp/apache-tomcat-9.0.62.tar.gz \
 && tar xvf /tmp/apache-tomcat-9.0.62.tar.gz -C /tmp/ \
 && rm -r /tmp/apache-tomcat-9.0.62.tar.gz \
 && mv /tmp/apache-tomcat-9.0.62 /opt/tomcat \
 && rm -rf /opt/tomcat/webapps/* \
 && mv /tmp/_tmp_webapps/* /opt/tomcat/webapps \
 && mv /tmp/_tmp_conf/* /opt/tomcat/conf \
 && rm -rf /tmp/_tmp_webapps \
 && rm -rf /tmp/_tmp_conf \
 && mkdir -p /opt/tomcat/shared/classes \
 && mkdir -p /opt/tomcat/shared/license_classes/gitana/license \
 && echo "shared.loader=/opt/tomcat/shared/classes,/opt/tomcat/shared/license_classes" >> /opt/tomcat/conf/catalina.properties
 ###################################################################################################################

# copy the custom properties and classes into place
# this includes the license file in the ./classes/gitana/license directory
COPY ./classes/ /opt/tomcat/shared/classes/

The section delineated between the ###### sections above will download Tomcat 9.0.62 and swap it into place, replacing the
default installation of Tomcat and replacing it with the updated one. It does this ahead of launching the Cloud CMS API.

Once you've made these changes, be sure to rebuild your image to pick up the changes.

As per the guidance provided by Spring (https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#suggested-workarounds), upgrading Tomcat will close the mechanism that this attack exploits.

That said, we will recommend upgrading to 3.2.76 for full hardening against this exploit once that version is available.
Once you do elect to upgrade to 3.2.76 (or beyond), you will need to remove the section added above from your Dockerfile.