A major security vulnerability has been discovered in the Spring Framework, which is an open source Java development framework used by some versions of Fusion and Attivio. The vulnerability is also colloquially known as “Spring4Shell” due to the potential for remote code execution.
More information on the vulnerability can be found here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
This article represents the best analysis available at the time of publication, or most recent update. We will continue to update this article as more information is learned about this vulnerability.
March 31 2022, 18:26 UTC - Initial Publication
April 1 2022, 18:17 UTC - Updates to Attivio products
April 5, 2022, 17:03 UTC - Formatting update
|Solr||All||Not Vulnerable||Not Vulnerable||N/A|
|Fusion||5.x||Not Vulnerable||Not Vulnerable||N/A|
|Fusion||4.x and lower||Not Vulnerable||Not Vulnerable||N/A|
|Managed Fusion||All||Not Vulnerable||Not Vulnerable||N/A|
|Lucidworks Site Search||All||Not Vulnerable||Not Vulnerable||N/A|
|Lucidworks Search||All||Not Vulnerable||Not Vulnerable||N/A|
|Attivio||All||Not Vulnerable||Not Vulnerable||N/A|
|Attivio Standalone SearchUI||All||Not Vulnerable||Environment Specific (see notes)||Confirm Environment|
|App Studio||All||Not Vulnerable||Not Vulnerable||N/A|
Spring is an open source lightweight Java platform application development framework used by millions of developers using Spring Framework to create high-performing, easily testable code.
The vulnerability affects Spring Cloud Functions in spring versions 3.1.6 and 3.2.2. Using routing functionality, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) as a routing-expression to access local resources and execute commands in the host.
Our analysis is that Fusion is not vulnerable. Lucidworks has scanned our available images for Fusion 5.x and determined that they are not affected by this CVE as they do not utilize Spring Cloud Functions. Spring Cloud Functions are not present on any scan of our containers which we performed in light of this CVE-2022-22963.
Furthermore, CVE-2022-22965 has a reliance on deploying a WAR file on tomcat as a container, neither of which are utilized in Fusion.
Fusion 4.x and older
Fusion versions of 4.x and older do not include the Spring Framework at all, and therefore these CVEs are not relevant to them.
We have determined Attivio is not vulnerable to CVE-2022-22963.
With respect to CVE-2022-22965:
Attivio is not vulnerable under the standard deployment model.
However, Attivio SearchUI when deployed in a standalone configuration does deploy onto a tomcat container. While SearchUI does not ship with java, we recommend that customers using standalone SearchUI deployed in tomcat verify the version of Java. This CVE can apply to deployments on Java 9 or higher due to exploiting class loader features introduced in Java 9.
This does NOT apply to embedded Attivio SearchUI - which does not use tomcat and is hosted by the Attivio node. Embedded Attivio SearchUI is Not Vulnerable.