On Wednesday March 29th, a researcher disclosed a Critical Day 0 vulnerability that impacts Spring MVC and Spring WebFlux applications running on JDK 9+. As a member of the Instructure family we want to update you on what we have done to protect against this vulnerability. First, and most importantly, our customers were not exposed and there is no action required on your part.

Most Instructure Learning Platform products are not developed using Java. For the few Instructure products that do use Java, Spring is not commonly used and those products utilizing Spring are not deployed in a vulnerable fashion. All affected vulnerable instances in our SaaS products were patched.

Q: What is the “Spring4Shell” Vulnerability?

From the NIST National Vulnerability Database: “On March 29, 2022, a security researcher with the handle p1n93r disclosed a Spring Framework remote code execution (RCE) vulnerability, which was archived by vx-underground. This vulnerability, known as Spring4Shell, affects applications that use JDK v9 or above that run Apache Tomcat as the Servlet Container in a WAR package and use dependencies of the spring-webmvc or spring-webflux from the Spring Framework. This vulnerability is being tracked under CVE-2022-22965.

The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted

Q: What has Instructure done to remediate this?

Instructure has applied appropriate mitigations to affected services and are working to patch any use or interface with the vulnerable component of the spring framework. We have reviewed all instances of spring in Instructure products and have implemented mitigations or upgrades to these services. We are not aware of any successful exploits of the vulnerability.

Q: Is there anything we need to do as an organization or Canvas user?

No, there’s no action necessary from our customers at this time. We have reviewed all the instances of Spring4Shell in Instructure products and have implemented mitigations or upgrades to the affected services.