Log4j Vulnerability CVE-2022-22965 and the LPS Family
No action is required for Loftware Print Server (LPS), or Loftware Label
A label is a design area on the computer screen where a label format is created or edited. Manager (LLM) customers in regard to the CVE-2022-22965 vulnerability. This includes any clients, Connector See Loftware Connector. applications, or Loftware WebAccess (LWA).
Problem
Loftware has noted and analyzed the Loftware Print Server's vulnerability to CVE-2022-22965:
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
These are the prerequisites for the exploit:
- JDK 9 or higher
- Apache Tomcat as the Servlet A generic server extension that can be loaded dynamically to expand the functionality of a web server. Servlets are commonly used with web servers and run within a Java Virtual Machine (JVM). Since servlets are all handled by separate threads within the web server process, they are very efficient and scalable. Servlets are supported on all platforms that support Java, and servlets work with all the major web servers. Loftware has developed a servlet called the LPS Web Servlet for use with the WebClient (i-Pull). See also Java Virtual Machine and WebClient (i-Pull). container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency
Solution
Loftware has determined that neither LPS, LLM, LWA nor any of the Connectors or Clients are affected by the Spring Framework vulnerability, CVE-2023-22965. There is no action required.
More Information
If you are a Spectrum customer please see the following:
TECH NOTE: Spring Framework Vulnerability
