We interrupt your usual programming (again) to bring you this breaking news (again) about a dangerous and far-reaching vulnerability. This time it is CVE-2022-22965, a.k.a. “Spring4Shell”, a zero-day remote code execution vulnerability in Spring framework. Similarly to Log4Shell, midPoint is not vulnerable to Spring4Shell attack. However, there are some actions that you may need or want to take.
MidPoint is based on Spring framework. However, midPoint is using its own code to parse complex data structures. Therefore, midPoint is not using the DataBinder class in a way that would trigger the vulnerability. Moreover, the vulnerable classloader is not used at all if you are using midPoint in default “stand-alone” deployment mode. Therefore pretty much all midPoint deployments should be safe. However, there may be some risks for non-standard deployments, or heavily customized deployments.
First of all, if you are still using explicit Tomcat deployment model (deploying midpoint.war file to your Apache Tomcat server), you should migrate your deployment to a default stand-alone deployment. The explicit Tomcat deployment was deprecated years ago, we have been recommending the stand-alone model all the time. If you are still deploying to Tomcat, there is nothing to wait for. Go stand-alone. Users running official docker images are safe, as those are based on the default stand-alone deployment.
Even though stock midPoint is not vulnerable, heavily-customized midPoint deployments might be vulnerable, especially if the customization includes a custom REST service. Therefore we are including the patch in support branches in all supported versions of midPoint. The code will be pushed to the repositories soon after this post is published. This is an additional measure which should secure all midPoint deployments. If you are running heavily customized midPoint, and you are not sure whether your customizations are vulnerable, it would be wise to consider upgrading to the builds from the latest support branches. As this is only an additional precaution, and we are not considering midPoint vulnerable as such, we will not be making special midPoint releases at this point.
To summarize: We are certain that the default stand-alone deployments of midPoint are safe, and there is no action needed. The same applies to official Docker images. MidPoint instances that are explicitly deployed to Tomcat server are mostly likely safe as well, however we strongly recommend switching to stand-alone deployment as soon as possible. Heavily customized midPoint deployments may be vulnerable if they include vulnerable custom code. For heavily customized midPoint deployments we recommend upgrading to the builds from latest support branches, and immediately switch to a stand-alone deployment model.