Digital

Blog

European Commission Digital

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 19 Current »

eDelivery sample software affected by Remote Code Execution vulnerability reported in Spring Framework

Update 04/04/2022

Patches for all product lines that are under active support are now available:

Original announcement

A vulnerability allowing Remote Code Execution was reported by the Spring Framework project on 31 March 2022. Please refer to the early announcement for details.

The following list indicates all versions of eDelivery sample software that may be impacted if used in the configuration described in the announcement:

SMP, BDMSL and older versions of Domibus are not affected as they do not support JDK 9 or higher, but they do use the vulnerable libraries. Note also the announcement indicates that “there may be other ways to exploit [the vulnerability] that have not been reported yet.” 

The eDelivery team is working to patch all concerned product lines that are under active support immediately. The patched versions will be released as follows:

  • Domibus 4.2.9 will be released on Monday, 4 April 2022
  • SMP 4.1.2 will be released at the latest on Monday, 4 April 2022
  • BDMSL 4.1.1 will be released on Friday, 1 April 2022

We strongly recommend that all users upgrade to the latest versions as soon as they are available, regardless of the configuration they use.

The eDelivery Building Block

eDelivery is a building block that provides technical specifications and standards, installable software and ancillary services to allow projects to create a network of nodes for secure digital data exchange.

Domibus is the sample software provided by the European Commission to implement an eDelivery AS4 Access Point for the interoperable, secure and reliable exchange of data. It is based on the eDelivery AS4 profile, an open technical specification for the secure, web-based, payload-agnostic exchange of data or documents.

SMP is the sample software provided by the European Commission to implement an eDelivery Service Metadata Publisher (SMP) for publishing and retrieving data necessary for an eDelivery party to dynamically configure its system for message exchange with counterparties using eDelivery. It is based on the eDelivery SMP profile, an open technical specification for publishing service metadata within a 4-corner network.

BDMSL is the sample software provided by the European Commission to implement an eDelivery Service Metadata Locator (SML) for an eDelivery party to discover the URLs of other counterparties using eDelivery Access Points and their corresponding metadata. It is based on the eDelivery BDXL profile, an open technical specification for locating Access Points within a network.