Skip to main content

2 posts tagged with "security"

View All Tags

· 2 min read
Matt Fellows

This security advisory provides customers with an update on how Pact and Pactflow services are affected by the Spring RCE vulnerability (CVE-2022-22965). This vulnerability has been referred to as SpringShell by some outlets.

What is this vulnerability?

A Remote Code Execution (RCE) vulnerability was discovered in the popular Spring Framework on 31st March 2022:

The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

How does this vulnerability affect Pact or Pactflow?

Pactflow immediately began investigating its environment to identify any affected systems. After an investigation was completed, it was determined that:

  • Spring (and indeed, the JVM) is not used in any of Pactflow's services
  • None of the Open Source clients (such as Pact JVM) are vulnerable

This vulnerability exists when:

  • Running on JDK 9 or higher
  • Apache Tomcat as the Servlet container.
  • Packaged as a traditional WAR (in contrast to a Spring Boot executable jar).
  • spring-webmvc or spring-webflux dependency.
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.

When Pact tests are run, they are run as tests or build tasks, and are not deployed anywhere (to Tomcat or otherwise). Also, Pact-JVM does not use Tomcat at all, but relies on Netty for its internal server components.

What actions should I take?

Users of Pact or Pactflow do not need to take any action at this time.

Where can I find more information?

Additional information on this vulnerability can be found here:

· One min read
Matt Fellows

This security advisory provides customers with an update on how Pactflow services are affected by the Apache Log4j vulnerability (CVE-2021-44228). This vulnerability has been referred to as Log4Shell by some outlets.

What is this vulnerability?

A Remote Code Execution (RCE) vulnerability was discovered in the popular Java logging library, Log4j. This industry-wide security vulnerability allows for an unauthenticated adversary to execute code on systems that have this library deployed, by providing specific crafted content. This is a serious vulnerability that affects many software products and online services.

How does this vulnerability affect Pactflow?

Pactflow immediately began investigating its environment to identify any affected systems. After an investigation was completed, it was determined that:

  • The Log4j library is not implemented in any of Pactflow's application services or SDKs;
  • The Log4j library is not used by any of our open source clients (e.g. Pact JVM).

What actions should I take?

Users of Pact or Pactflow do not need to take any action at this time.

Where can I find more information?

Additional information on this vulnerability can be found here: