Does KSE/KRE/TestOps use Spring?

As you may know, there’s a vulnerability known as an RCE (remote code execution) which essentially means that an attacker gets to take complete control of the system. This is the worst of vulnerability situations. This effects the Java framework “Spring”.
Can anyone please confirm that this shouldn’t effect KSE/KRE/TestOps usage?
The CERT advisory is here: VU#970766 - Spring Framework insecurely handles PropertyDescriptor objects with data binding
Thanks!

In any Katalon Studio project folder, you will find a file named .classpath. In the .classpath file you can find all jar files used when your test script runs.

In a .classpath instance I found a line of “spring”:

<classpathentry kind="lib" path="/Applications/Katalon Studio.app/Contents/Eclipse/configuration/resources/lib/spring-context-5.1.0.RELEASE.jar"/>

https://mvnrepository.com/artifact/org.springframework/spring-context/5.1.0.RELEASE

@duyluong

The listed vulnerabilities seem to be affecting KS.

2 Likes

@kazurayam let us read details.
from the mentioned CVE:

The Spring Framework insecurely handles PropertyDescriptor objects, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Are you running katalon studio / kre as a continuous service?
or just as a ‘per-scope’ application?

For TestOps I will be concerned, but I doubt you have the visibility into that code …

We have Azure DevOps locally hosted remote agent machines which are running our tests in KRE. We develop these tests in KSE on our physical machines. Our results are uploaded to TestOps. I hope this gives you enough information, but please let me know if you have any further questions. Thanks!

@gengland asked us “Does KSE/KRE/TestOps use Spring?” — So I explained how to find if any “spring”-related jar is in the .classpath file; that’s all I attempted.

I have no idea about the vulnerabilities in Katalon products.

1 Like

@kazurayam Nope!
The question was:

Can anyone please confirm that this shouldn’t affect KSE/KRE/TestOps usage?
and is referring to:
http://web.nvd.nist.gov/vuln/detail/CVE-2022-22965

So my detailed answer is:
KSE/KRE are not affected by this vulnerability per-se (I already explained why) despite the traces of some Spring libraries used.
(well, of-course, one may implement some web-services using KSE and the vulnerable Spring libraries … but why to do that?)
note also:

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.

KSE/KRE are mostly used with jdk8, not sure if support for newest java was implemented. And the rest for details …

For TestOps, Katalon team must conduct a security analysis as soon as possible and came with a resolution, due to the large user-base.
The attack vector will mostly affect katalon infrastructure (if is the case) since, as far as I know, an on-prem install is no longer offered for this product, only cloud version.
However, all Katalon users have legit concerns regarding a potential data leak / data loss.

Well … of-course, Kazu found two other CVE’s which may potentially affect KSE … but that is a different animal, subject to further analysis.

1 Like

Hi there,

spring-context-5.1.0.RELEASE.jar is one of the dependencies of Appium Java Client 7.0.0 which is a core framework of Katalon Studio/ Katalon Runtime Engine to automate Mobile tests.

According to Appium, they use Spring framework for event filtering which is not the behavior to exploit this vulnerability.

Besides that, KS/KRE use with JRE 8 so we are not be affected by this vulnerability.

Katalon Studio team will consider updating Spring framework but it is not ASAP for now.

1 Like