On March 31, 2022, a vulnerability was reported against the popular Spring Framework library used in many Java-based applications. This vulnerability has been assigned the identifier of CVE-2022-22965. An official writeup from Spring is available here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
As is often the case with this type of issue, this is an evolving situation and the full extent of the issue is not yet known to the global software community. As always, we will keep monitoring the situation and update this post as needed.
At this time, here is what we know:
- FHIR Endpoints exposed using Smile CDR and HAPI FHIR are not vulnerable to this issue.
- We strongly believe that no other modules in Smile CDR or HAPI FHIR are vulnerable to this issue based on available information. We have performed an audit of our codebase and have confirmed that the vulnerable code paths in this issue are not called in any way.
- However, some modules in Smile CDR and HAPI FHIR do use vulnerable versions of the Spring library, even if the specifically vulnerable functions are not called.
- The following modules in Smile CDR use this library, although we have not been able to reproduce this issue in any tests so far: SMART Inbound Security module, SMART Outbound Security module, Admin JSON API module, Admin Web module, FHIRWeb Endpoint module.
- The following modules in HAPI FHIR use this library, although we have not been able to reproduce this issue in any tests so far: hapi-fhir-testpage-overlay, hapi-fhir-jpaserver-starter.
Spring has released a patched version of their library which addresses this vulnerability. As a precaution, we immediately released patch versions of Smile CDR (versions 2021.08.R11, 2021.11.R05 and 2022.02.R03). We encourage all customers to upgrade to a patched version of Smile CDR when possible.
