SpringShell Vulnerability Statement

On March 29, 2022, an RCE 0day vulnerability was reported in the Spring Framework. It has been confirmed that SerializationUtils# deserialise can lead to Remote Code Execution (RCE) due to the Java-based serialisation mechanism, and can affect anyone using JDK9 and above version.

ZStack has Spring Framework and uses JDK version 8, not JDK version 9.

You can check the details by inputting the “java -version” command in the terminal of the ZStack management node.

Please note that ZStack related products are not affected by this vulnerability.

Due to the profound impact of this vulnerability, we suggest ZStack users also check VM applications and contact the corresponding application vendor for a solution.