Posts tagged 'cve'

  • Spring Framework CVE: How it affects FusionAuth (TLDR: It doesn't)

    Spring Framework CVE: How it affects FusionAuth (TLDR: It doesn't)
    Dan Moore  |  Apr 5th, 2022

    The recent announcement of CVE-2022-22965, where “a Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding,” has some folks asking if FusionAuth is affected. This CVE is also known as the “Spring4Shell” vulnerability.

    FusionAuth is not affected by this vulnerability in Spring. FusionAuth uses a different MVC framework, Prime, so there is no way that any FusionAuth applications could be compromised.

    READ MORE
  • Log4j CVE: How it affects FusionAuth (TLDR: It doesn't)

    Log4j CVE: How it affects FusionAuth (TLDR: It doesn't)
    Dan Moore  |  Dec 10th, 2021

    The recent announcement of CVE-2021-44228, which allows for “arbitrary code loaded from LDAP servers when message lookup substitution is enabled” through a vulnerability in log4J has many people double checking the dependencies of their Java applications. This CVE is also known as the “Log4Shell” vulnerability.

    FusionAuth is not affected by this vulnerability in Log4j. FusionAuth uses a different logging framework, Logback, so there is no way that any FusionAuth applications could be compromised.

    READ MORE