Zero-day vulnerability Spring4Shell

Question is does it have impact?
In New Spring4Shell Zero-Day Vulnerability Confirmed: What it is and how to be prepared article there is a link made to spring-core.
So version 14.7.5 goes to spring-core 5.3.15, using Java 8 and tomcat 9. And if you’re not using DataBind without allowlist or denylist I presume to be safe for now. Is that correct?

Kind regards,
Kitty.

Hi Kitty,
No this does not affect Bloomreach Experience Manager 14, mostly because it runs on Java 8 and the vulnerability is on Java 9 and up.

Also IIRC the vulnerability is in spring-mvc which we don’t use. But we’ll start using the latest Spring versions directly anyway when released.

Regards, Jeroen

Thanks for the confirmation!