SpringShell 0-day Vulnerability

Hi @all,

Hope you are doing well!

I am relatively new to graylog so just wanted to check with the community to be 100% sure that it does not use any of the spring modules internally for any of it’s features as there has been a vulnerability detected in Spring Core on JDK9+ version.

Thanks,
Saurabh

Hello,

You may want to look at this documentation.

Pardon me but I don’t see how this addresses the question. Does Graylog use Spring and Tomcat? Which JDK version is used in the official Docker and VM images?

At a glance the answer is no it doesn’t use Spring, and the official Docker uses JDK 8 anyway.

Don’t know about Docker and/or what version your talking about. The question above does not state what installation is being used so I assume its from a package handler in which Oracle Java SE 17
or OpenJDK 17 works.

The official Docker images linked on the releases page. Announcing Graylog v4.2.7 | Graylog for example.

I am running Graylog 3.3.3 and when I check the nodes in the interface they reported running JDK 1.8.

I understand,
Our environment we use that latest Docker version 4.2.7 /w OpenJDK 11.

https://hub.docker.com/r/graylog/graylog

Hello
I was looking this issue up since I have time and noticed a statement that this a new SpringShell 0-day Vulnerability. Is this correct? I was assume this was from last year.

EDIT: @dscryber I was research this further by chance you have any info on this?

Spring4Shell: Spring users face new, zero-day vulnerability | The Daily Swig

There is a third issue also according to https://www.dynatrace.com/news/blog/what-is-spring4shell-vulnerabilities-in-the-java-spring-framework/

Thanks for chiming in on this post, I totally over look this.

Maybe one of the staff members could enlighten us about this.

Hi all,

Also quite new to Graylog. I am checking the repository (*) and there would appear to be no references to Spring libraries in the project.

Is this validation correct to verify if there can be a potential security concern regarding SpringShell 0-day Vulnerability?

Thanks!

(*) graylog2-server/pom.xml at master · Graylog2/graylog2-server · GitHub

Graylog does not use Spring framework in any supported version through 4.2.7.

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.