A vulnerability has been discovered in Spring Core Framework. Spring Core Framework is a set of Java libraries that can be used to develop applications that can then run either standalone or in web application environments such as Tomcat.
Update April 7
Herewith, an update on the communication about the Spring4Shell vulnerability that we have previously informed you about.
So far, we did not find any applications, from Centric or from external suppliers, that meet the conditions that would make it possible to abuse the vulnerability.
If any other circumstances or new vulnerabilities arise concerning Spring4Shell we will report this.
-----
Update April 1
Herewith an update on the communication about the Spring4Shell vulnerability we informed you about earlier.
Research has shown that the vulnerability can only be exploited in conjunction with Java9. Java8 is used for most of Centric's software and that of external suppliers, which means this vulnerability cannot be exploited.
The investigation is now focusing further on the possible use of Java9 within Centric's applications or those of external suppliers.
Customers who may have questions regarding their systems are kindly requested to contact Centric via their usual channel.
-----
The vulnerability must meet a number of conditions in order to be abused, so the impact seems limited for the time being.
According to the NCSC (in Dutch) an update is available that is currently being assessed by us. Identification tooling will also become available.
We are currently identifying which applications of external suppliers and our own are potentially vulnerable to this vulnerability. As soon as there is more clarity, also from the Dutch government or other relevant sources, we will inform you further.
Customers who may have questions regarding their systems are kindly requested to contact Centric via their usual channel.