The recent announcement of CVE-2022-22965, where “a Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding,” has some folks asking if FusionAuth is affected. This CVE is also known as the “Spring4Shell” vulnerability.
FusionAuth is not affected by this vulnerability in Spring. FusionAuth uses a different MVC framework, Prime, so there is no way that any FusionAuth applications could be compromised.
Spring is a popular application framework and is used in many Java projects, both open source and commercial. When a CVE like this comes out, it makes sense to check all of your applications for the issue. Security is important to us and we understand why customers and users would reach out about this.
In conclusion, FusionAuth is not affected by the Spring vulnerability.
To learn more about the CVE, you can:
- visit the CVE description
- visit the VMWare CVE description
- review a detailed report about the vulnerability
- participate in the Hacker News discussion
A bit more about security and FusionAuth
Beyond this specific vulnerability, we want to assure readers that FusionAuth takes security very seriously.
This commitment includes, but is not limited to:
- a responsible disclosure program
- regular penetration tests
- security disclosures in our extensive release notes
