Do we know if ColdFusion, any supported version, is affected by the just released Spring Framework vulnerability,https://tanzu.vmware.com/security/cve-2022-22965? I need to provide updates to my InfoSec team,
While the IT world is indeed up in arms again about yet another seeming wide-ranging zero day, I'll say that as we await a reply from Adobe, it's worth noting that though both CF and Spring are based on Java, CF is not based on Spring. And as the vuln seems specific to Spring (from all I've read, since people started asking me yesterday in my role as a CF consultant), it seems therefore that this vuln does not affect CF.
All that said, I am not presenting any official stance, just a reasoned assertion. (In situations like this, many will be reluctant to even offer that.) I wanted to put this out as at least one take on things.
Let's see if Adobe may come out with an official position, whether in reply here or in another forum thread/announcement or portal post (coldfusion.adobe.com). Or CF security maven Pete Freitag may offer his more careful assessment.
(FWIW, I had reached out earlier today to both of THEM about this, since so many are asking.)
I'm in agreement with your assessment of the situation and while it looks like it is limited to applications built and deployed as a WAR on Tomcat, we all know how Enterprise InfoSec folks are with "Vendor must verify" which is why I figured I'd start a thread in case others were in the same situation,
Of course, and that's why I prefaced my reply with, "as we await a reply from Adobe, it's worth noting"...and I even ended with the two paragraphs I did, to acknowledge that mine is NOT that Vendor verification some would seek. But to be clear, since you started with "do we know", I presumed you were asking "the community" as much as Adobe. As always, I just want to help.
Hi Charlie (and all),
Has Adobe come out with a statement on the spring4shell issue that you know of. I can't find anything official anywhere. Thanks for any info you can give!
CF is not impacted by this vulnerability and there is no need for any fix.
Thanks for the reply!
No, they have not. I had asked previously for any and they did not plan to.
At least now we have Priyank's reply here that I see he just offered.