Skip to main content

· 2 min read
Matt Fellows

This security advisory provides customers with an update on how Pact and PactFlow services are affected by the Spring RCE vulnerability (CVE-2022-22965). This vulnerability has been referred to as SpringShell by some outlets.

What is this vulnerability?​

A Remote Code Execution (RCE) vulnerability was discovered in the popular Spring Framework on 31st March 2022:

The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

How does this vulnerability affect Pact or PactFlow?​

PactFlow immediately began investigating its environment to identify any affected systems. After an investigation was completed, it was determined that:

  • Spring (and indeed, the JVM) is not used in any of PactFlow's services
  • None of the Open Source clients (such as Pact JVM) are vulnerable

This vulnerability exists when:

  • Running on JDK 9 or higher
  • Apache Tomcat as the Servlet container.
  • Packaged as a traditional WAR (in contrast to a Spring Boot executable jar).
  • spring-webmvc or spring-webflux dependency.
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.

When Pact tests are run, they are run as tests or build tasks, and are not deployed anywhere (to Tomcat or otherwise). Also, Pact-JVM does not use Tomcat at all, but relies on Netty for its internal server components.

What actions should I take?​

Users of Pact or PactFlow do not need to take any action at this time.

Where can I find more information?​

Additional information on this vulnerability can be found here:

· One min read

On Monday 2nd May at 01:00 UTC we will be decommissioning the legacy domain name pact.dius.com.au. We don't expect any outage for the PactFlow application.

ACTION REQUIRED

If you currently use a domain name ending in pact.dius.com.au when accessing PactFlow (via the UI, API or Pact client tooling), you need to update the hostname you use to connect to our services to the pactflow.io domain immediately to avoid losing access to your service.

To assist with migrating, you can use both domain names at the same time so that you can gradually cut over your systems to the new domain.

Customers who created accounts on or after July 30 2020 will automatically be using the new domain.

Example​

If your PactFlow hostname is currently acme.pact.dius.com.au, you will simply need to change it to to acme.pactflow.io. You can do this immediately without impact to your service - there is no need to wait until the cutoff date.

If you have any concerns over this change, please contact us.

· One min read
Matt Fellows

This security advisory provides customers with an update on how PactFlow services are affected by the Apache Log4j vulnerability (CVE-2021-44228). This vulnerability has been referred to as Log4Shell by some outlets.

What is this vulnerability?​

A Remote Code Execution (RCE) vulnerability was discovered in the popular Java logging library, Log4j. This industry-wide security vulnerability allows for an unauthenticated adversary to execute code on systems that have this library deployed, by providing specific crafted content. This is a serious vulnerability that affects many software products and online services.

How does this vulnerability affect PactFlow?​

PactFlow immediately began investigating its environment to identify any affected systems. After an investigation was completed, it was determined that:

  • The Log4j library is not implemented in any of PactFlow's application services or SDKs;
  • The Log4j library is not used by any of our open source clients (e.g. Pact JVM).

What actions should I take?​

Users of Pact or PactFlow do not need to take any action at this time.

Where can I find more information?​

Additional information on this vulnerability can be found here: