A note on Spring4Shell for Play Java users

[mkurz]

Hey everyone!

In the last day there have been reports about a RCE vulnerability with Spring core running on JDK9+:

• https://www.praetorian.com/blog/spring-core-jdk9-rce/
• https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
• https://blog.sonatype.com/new-0-day-spring-framework-vulnerability-confirmed

People already reached out to us asking if and how Play is affected. Also news broke on Twitter already that's why I thought it's a good idea to come up with an official statement.

Note: As stated in one of the above blog posts, the vulnerability we are talking about here is not CVE-2022-22963 (which doesn't affect Play). There is not currently a CVE associated with the vulnerability, and it is being referred to as "Spring4Shell" or "SpringShell" by users online.

So it seems the vulnerability is around Spring DataBinder which Play Java is using when processing forms. There is no official fix yet from the Spring team. (Update: There is now and Play 2.8.15 ships with that fix)
However, based on what we know right now, the good news for Play Java users is, that they are not affected by the vulnerability in production, as long they are not running their Play applications in Tomcat. James Roper had a closer look last (european) night already, so I am just copy pasting his findings here (thanks @jroper!):

...Now that vulnerability allowed access to the classloader as a Java bean through the .class.classLoader property, and that's where the RCE comes in. If that ClassLoader allows modification, which it does if running in Tomcat, then you have an RCE. However, production Play applications don't ordinarily run in Tomcat, they usually run as regular Java applications, and their classloader is a JDK built in classloader, which doesn't allow modification of the classpath in any way (in dev mode it's another story, I'm not sure if there are ways to exploit there, there may be).

So in practice, production Play Java applications should not be vulnerable to this RCE. However, I will keep track of the situation in case other ways to exploit the vulnerability emerge. Also I will prepare a pull request to apply the mitigations mentioned in the above blog posts and very likely release a new Play 2.8.x version with those patch(es) in case there will not be a new Spring release today.

Also, if anyone is running Play Java applications on Tomcat, please let us know. Thanks!
Also please comment if you think I am missing something here or if you find out about more recent news regarding the vulnerabilities. Thanks!

[mkurz]

And we have a patch release already: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement 🚀
Will upgrade and release soon.

[mkurz]

Play 2.8.15 on its way to maven central. Official announcement should follow later today.

[mkurz]

Announced finally. Had a massive headache that lasted almost 24 hours and couldn't work therefore...

[jroper]

Thanks @mkurz for the speedy response to this!