SpringShell: Impact of Spring Framework Vulnerabilities on YouTrack and Hub

On March 29, 2022, a zero-day remote code execution (RCE) vulnerability (CVE-2022-22965) was found in Spring Framework. Additionally, two more Spring Framework vulnerabilities were discovered: CVE-2022-22963 (RCE) and CVE-2022-22950 (DoS).

The good news is that these vulnerabilities don't affect YouTrack and Hub. All versions of YouTrack inCloud, YouTrack Standalone, and Hub are safe to use.

Spring Framework is a popular middleware that is indeed used in YouTrack and Hub. However, the vulnerabilities affect the parts of the Spring framework, namely HTTP requests processing, that have never been used in YouTrack and Hub. YouTrack and Hub are thus safe.

It may still be the case that security scanners will trigger on some of the Spring artifacts included in distributives of YouTrack and Hub. As the new version of Spring that fixes the vulnerabilities is already available, we will release the 2021.1 bugfix versions of YouTrack and Hub to prevent unrelated security scanner alerts. Once it's done, this post will be updated accordingly.

Update Apr 5, 2020: Spring Framework libraries have been updated to the patched version. Please refer to the vendor announcement for more details. The patched version is included in YouTrack 2022.1.45133 and Hub 2022.1.14576. YouTrack Standalone and Hub Standalone users can download the new versions on the corresponding YouTrack and Hub pages. YouTrack inCloud instances are to be updated automatically and don't require any user input. 

Please sign in to leave a comment.

Have more questions?

Submit a request