RealObjects is actively responding to the reported remote code execution vulnerability CVE-2022-22965 in the Spring Framework Java library aka “Spring4Shell” (https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/). We are investigating and analyzing if and how our products and services may be impacted by this vulnerability.
As of now we have identified, that part of our products (PDFreactor Web Service) might be affected by this vulnerability.
The vulnerability is mitigated with the PDFreactor 11.4.6 release (released on 2022-04-01) which contains updated and no longer affected Spring Framework dependencies.
Important: When using PDFreactor as a Java library, you are not affected by CVE-2022-22965.
If you are using an older version of PDFreactor, the vulnerability can be mitigated by the customer by replacing the affected libraries (at your own discretion, list of library files below) in “$InstallDir/jetty/lib/ext/core” with unaffected versions.
spring-aop-5.x.yy.jar
spring-beans-5.x.yy.jar
spring-context-5.x.yy.jar
spring-core-5.x.yy.jar
spring-expression-5.x.yy.jar
spring-web-5.x.yy.jar
For PDFreactor 10.2 we recommend to update to Spring Framework 5.2.20
For PDFreactor versions below 10.2 we recommend to update to the latest major version or at least PDFreactor 10.2 and then replacing the affected Spring Framework libraries as mentioned above.
You can download the required files here: https://repo.spring.io/ui/native/release/org/springframework/spring/