Executive summary
A major security vulnerability has been discovered in the Spring Framework, which is an open source Java development framework used by some versions of Fusion and Attivio. The vulnerability is also colloquially known as “Spring4Shell” due to the potential for remote code execution. No Lucidworks products, with the exception of some configurations of Attivio Standalone SearchUI, are vulnerable to these vulnerabilities.
Response matrix
| Product | Version | CVE-2022-22963 | CVE-2022-22965 | Mitigation |
| Solr | All | Not Vulnerable | Not Vulnerable | N/A |
| Fusion | 5.x | Not Vulnerable | Not Vulnerable | N/A |
| Fusion | 4.x and lower | Not Vulnerable | Not Vulnerable | N/A |
| Managed Fusion | All | Not Vulnerable | Not Vulnerable | N/A |
| Lucidworks Site Search | All | Not Vulnerable | Not Vulnerable | N/A |
| Lucidworks Search | All | Not Vulnerable | Not Vulnerable | N/A |
| Attivio | All | Not Vulnerable | Not Vulnerable | N/A |
| Attivio Standalone SearchUI | All | Not Vulnerable | Environment Specific (see notes) | Confirm Environment |
| App Studio | All | Not Vulnerable | Not Vulnerable | N/A |
Technical summary
Spring is an open source lightweight Java platform application development framework used by millions of developers using Spring Framework to create high-performing, easily testable code.
The vulnerability affects Spring Cloud Functions in spring versions 3.1.6 and 3.2.2. Using routing functionality, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) as a routing-expression to access local resources and execute commands in the host.
No mitigation steps required for Fusion 5.x
No mitigation steps are required for Fusion 5.x because Fusion does not use Spring Cloud Functions. Spring Cloud Functions are not present on any scan of our containers which we performed in light of this CVE-2022-22963. Furthermore, CVE-2022-22965 has a reliance on deploying a WAR file on Tomcat as a container, neither of which are utilized in Fusion.
No mitigation steps required for Fusion 4.x or older
No mitigation steps are required for Fusion versions of 4.x and older because they do not use the Spring Framework.
No mitigation steps required for Attivio
Attivio is not vulnerable to CVE-2022-22963 or CVE-2022-22965.
Mitigation steps for Attivio SearchUI
Attivio SearchUI is vulnerable to these CVEs in certain configurations. Attivio SearchUI deployed in a standalone configuration deploys in a Tomcat container. While SearchUI does not ship with Java, we recommend that customers using standalone SearchUI deployed in Tomcat verify the version of Java they are running. This CVE can apply to deployments on Java 9 or higher due to exploiting class loader features introduced in Java 9.
This does not apply to embedded Attivio SearchUI - which does not use tomcat and is hosted by the Attivio node. Embedded Attivio SearchUI is not vulnerable.