Spring4Shell (CVE-2022–22965)

This critical vulnerability was disclosed on the 30th March 2022 and impacts the Spring framework (3rd party framework that we use within PaperCut MF and NG from version 20.0.0). This vulnerability is commonly referred to as Spring4Shell or SpringShell. More information can be found on the Spring blog which also references the Spring Framework RCE (remote code execution).

The proof of concept (POC) exploit explained in Spring’s blog post requires Apache Tomcat.

While our products do use the Spring framework, we can confirm that none of the PaperCut products use Tomcat (for example our MF and NG products use Apache Jetty). However we believe it could only be a matter of time until exploits are developed for 3rd party products that we do use. To prevent this having an impact on our customers, we have proactively provided maintenance releases as documented below.

Note: This vulnerability has been fixed in version 19 (19.2.7), version 20 (20.1.6), version 21 (21.2.10) and also in versions 22.0.0 and later.

Product Status

Which products are impacted?

ProductVersionStatusAction
PaperCut MF and NG Application Servers & Site Servers20.x or later

(excluding 20.1.6 and 21.2.10)
Impacted*Upgrade Application Servers and Site Servers to:
- 20.1.6 (if currently using version 20.x)
- 21.2.10 (if currently using version 21.x)
- versions 22.0.0 or later.
PaperCut MF and NG Application Servers & Site Servers19.x or earlierNot impactedNo action required for Spring4Shell.

However, if you are running 19.2.1 or later, we recommend upgrading due to a separate vulnerability - more details here: PaperCut MF/NG RCE (PC-18750)
PaperCut Hive
PaperCut Pocket
Print Deploy
Mobility Print
PaperCut User Clients
AllNot impactedNo action required.

* Listed as “Impacted”, even though as mentioned above, the current POC available does not impact PaperCut - we still highly recommend upgrading.

FAQs

Q Is there any impact from applying this fix?

These maintenance releases include an upgraded version of the Rhino JavaScript engine (release note reference PO-816). As a result of this, print scripting and device scripting are now sandboxed by default.

If you are using print scripting or device scripting, we highly recommend reviewing the KB for more information on these changes.

All other functionality and features will work without any impact.

Q Where can I get the upgrade?

Please follow your usual upgrade procedure. Additional links on the ‘Check for updates’ page will allow customers to download fixes for previous major versions which are still supported (e.g. 19.2.7, 20.1.6) as well as the current version (21.2.10).

If you are using PaperCut MF, we highly recommend following your regular upgrade process. Your PaperCut partner or reseller information can also be found on the ‘About’ tab in the PaperCut admin interface.

Q Where are the release notes for these fixes?

You can see the release notes pages for PaperCut MF and NG which list all fixes included per version:

The fix has also been carried forward into versions 22.0.0 and later.

Q What is the CVSS score for Spring4Shell?

Critical severity (CVSS V3.0 Score 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) vulnerability discovered in the Spring framework.

However, as detailed at the top of this article, the proof of concept (POC) exploit explained in Spring’s blog post requires Apache Tomcat. While our products do use the Spring framework, we can confirm that none of the PaperCut products use Tomcat (for example our MF and NG products use Apache Jetty).

Q Do the fixes include the latest version of Spring Framework?

No.

  • MF/NG version 19.2.7 uses Spring version 4.3.25
  • MF/NG version 20.1.6 uses Spring version 4.3.29
  • MF/NG version 21.2.10 uses Spring version 4.3.30

Spring has released updates including fixes for this exploit (versions 5.3.18 and 5.2.20), however we are unable to upgrade the framework immediately, due to the complex nature of migrating to this newer version.

We have implemented the Spring-recommended workaround and this fix is included in the maintenance releases listed above. We will be looking to upgrade to a patched version of Spring in a future release.

Q Is there a mitigation for this if I don’t want to upgrade?

No - there is no manual config or change available at this point - we highly recommend installing the latest maintenance release.

Q What version of log4j do these builds use?

  • 19.2.7: uses log4j 1.x (not impacted)
  • 20.1.6: uses log4j 1.x (not impacted)
  • 21.2.10: uses log4j 2.17.1 (fixed)

See the Log4Shell (CVE-2021-44228) - How is PaperCut Affected? article for more details on log4j.

Q Is there a maintenance release for versions 18 or older?

No - versions 18 and older are now end of life, as documented on our End of Life Policy page.

Q I have a version 19 license and no M&S - can I still get this fix?

Yes! As long as you are running a version which is currently supported (19 and above) you can upgrade to whichever maintenance release version you’re licensed for. For example if you are licensed for version 19 but you don’t have a valid license for version 20, you can update to version 19.2.7 as above.

See our Upgrade Policy page for more information on licensing and upgrades.

Q I saw versions 19.2.6, 20.1.5 and 21.2.9 available at one point - what happened?

We published maintenance releases 19.2.6, 20.1.5 and 21.2.9 on May 18th 2022. We then became aware that a small number of customers with a specific database configuration had to roll back after encountering an upgrade error, so we pulled these maintenance releases from our website to avoid impacting any additional customers. We then identified and fixed the issue with these builds, and have released the new (fixed) builds of 19.2.7, 20.1.6 and 21.2.10. We apologize for the confusion here - it wasn’t our best moment.

The same security fixes that were in the previous (pulled) builds are now in the fixed builds available on the website. If you are not using MS SQL Server as your database, and you upgraded to one of the now-pulled builds, you’ll be able to continue running that build without any issues.

Q Is PaperCut impacted by CVE-2022-22950?

Yes - PaperCut MF and NG are impacted by CVE-2022-22950 since they use version 4.3.x of the Spring framework (see “Do the fixes include the latest version of Spring Framework?” for more details on the exact versions in use).

Please note that this vulnerability is not resolved in version 21.2.10 onwards - we are currently working on upgrading Spring framework to version 5.3.19 or greater. If you want to be notified about progress on this, please contact us and quote issue PO-741.

References


Categories: FAQ, Security and Privacy

Comments