Spring4Shell

Can someone confirm whether or not the OHDSI software suite is vulnerable to the Spring4Shell vulnerability?

Thanks.

Good day, Everybody

According to currently available information (as of 5th April 2022) If you are running on Java Runtime Environment (JRE) 9 or above WebAPI, ARACHNE, ATHENA or any other web application which uses unpatched Spring libraries as a part of it then there is a high risk there is a vulnerability

As the default documented deployment of the aforementioned applications is based on Java 8 we should be currently safe until any further findings are available to the current problematic

Many greetings, Alex

Some relevant information:

• Spring Framework RCE, Mitigation Alternative
• SpringShell (Spring4Shell) Zero-Day Vulnerability: All You Need to Know | JFrog

@gregk @Konstantin_Yaroshove