SpringShell 0-day Vulnerability

saurabh · March 31, 2022, 10:32am

Hi @all,

Hope you are doing well!

I am relatively new to graylog so just wanted to check with the community to be 100% sure that it does not use any of the spring modules internally for any of it’s features as there has been a vulnerability detected in Spring Core on JDK9+ version.

Thanks,
Saurabh

gsmith · March 31, 2022, 10:36pm

Hello,

You may want to look at this documentation.

Installing Graylog

hmof · April 1, 2022, 3:50am

Pardon me but I don’t see how this addresses the question. Does Graylog use Spring and Tomcat? Which JDK version is used in the official Docker and VM images?

At a glance the answer is no it doesn’t use Spring, and the official Docker uses JDK 8 anyway.

gsmith · April 1, 2022, 3:57am

Don’t know about Docker and/or what version your talking about. The question above does not state what installation is being used so I assume its from a package handler in which Oracle Java SE 17
or OpenJDK 17 works.

hmof · April 1, 2022, 4:09am

The official Docker images linked on the releases page. https://www.graylog.org/post/announcing-graylog-v4-2-7 for example.

I am running Graylog 3.3.3 and when I check the nodes in the interface they reported running JDK 1.8.

gsmith · April 1, 2022, 4:22am

I understand,
Our environment we use that latest Docker version 4.2.7 /w OpenJDK 11.

https://hub.docker.com/r/graylog/graylog

gsmith · April 1, 2022, 4:54am

Hello
I was looking this issue up since I have time and noticed a statement that this a new SpringShell 0-day Vulnerability. Is this correct? I was assume this was from last year.

EDIT: @dscryber I was research this further by chance you have any info on this?

Spring4Shell: Spring users face new, zero-day vulnerability | The Daily Swig

hmof · April 1, 2022, 5:19am

There is a third issue also according to https://www.dynatrace.com/news/blog/what-is-spring4shell-vulnerabilities-in-the-java-spring-framework/

gsmith · April 2, 2022, 12:15am

Thanks for chiming in on this post, I totally over look this.

Maybe one of the staff members could enlighten us about this.

patagon · April 4, 2022, 11:47pm

Hi all,

Also quite new to Graylog. I am checking the repository (*) and there would appear to be no references to Spring libraries in the project.

Is this validation correct to verify if there can be a potential security concern regarding SpringShell 0-day Vulnerability?

Thanks!

(*) graylog2-server/pom.xml at master · Graylog2/graylog2-server · GitHub

patrickmann · April 12, 2022, 8:30am

Graylog does not use Spring framework in any supported version through 4.2.7.

system · April 26, 2022, 8:30am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog docker image with openjdk11? Graylog Central (peer support)	4	481	March 22, 2021
How to use open this Graylog Open Server w/ bundled JVM (linux-x64) The Water Cooler (AMA)	5	1546	June 5, 2023
Java Keystore and Docker Graylog Central (peer support)	2	1522	May 27, 2021
[REQ] Best Java version? Graylog Central (peer support)	7	3790	February 14, 2022
New install, all in one, docker. HTTPS help Graylog Central (peer support)	2	759	November 6, 2020

SpringShell 0-day Vulnerability

Related topics