Preface: The Spring Framework is a popular, open-source, Java-based framework that simplifies enterprise application development by providing a comprehensive set of tools and libraries for building robust, scalable, and maintainable applications. It’s known for its core features like dependency injection (DI) and aspect-oriented programming (AOP), and it offers support for various technologies like JDBC, Hibernate, and more. The Spring Framework is a fundamental component of SAP Commerce (formerly known as SAP Hybris). It serves as the foundation for many aspects of the platform, including the Service Layer and the Accelerator storefront.
Ref: SAP products leverage both Dependency Injection (DI) and Aspect-Oriented Programming (AOP) through the Spring framework, which is heavily integrated into SAP Commerce (formerly Hybris). Spring’s DI allows for managing object dependencies, while AOP provides a way to modularize cross-cutting concerns like logging, security, and transaction management. SAP Commerce (formerly Hybris) licenses can expire. Specifically, the on-premise version of SAP Commerce will reach its End of Mainstream Maintenance (EoMM) on July 31, 2026.
Oracle does not have a direct replacement for SAP Commerce (formerly Hybris) in the same way that SAP replaced Hybris with SAP Commerce Cloud. However, Oracle offers a suite of cloud applications, including Oracle CX Commerce, which serves a similar purpose for B2B and B2C e-commerce and can be considered an alternative. Oracle also provides a broader platform, Oracle Fusion Cloud Applications, which includes various SaaS applications that can be integrated to create a comprehensive business solution, including e-commerce capabilities.
Background: Oracle CX Commerce (formerly known as Oracle Commerce Cloud) utilizes the Spring framework. Specifically, the Oracle Commerce Platform integrates with Spring-based applications. Additionally, the toolkit uses Spring to load objects that represent an EAC (Endeca Application Controller) application. Spring Boot, an extension of the Spring framework, is also used to simplify development, particularly for microservices and web applications.
Vulnerability details: In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input. Specifically, an application is vulnerable when all the following are true:
* The header is prepared with org.springframework.http.ContentDisposition.
* The filename is set via ContentDisposition.Builder#filename(String, Charset).
* The value for the filename is derived from user-supplied input.
* The application does not sanitize the user-supplied input.
* The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details). An application is not vulnerable if any of the following is true:
* The application does not set a “Content-Disposition” response header.
* The header is not prepared with org.springframework.http.ContentDisposition.
* The filename is set via one of: * ContentDisposition.Builder#filename(String), or
* ContentDisposition.Builder#filename(String, ASCII)
* The filename is not derived from user-supplied input.
* The filename is derived from user-supplied input but sanitized by the application.
* The attacker cannot inject malicious content in the downloaded content of the response.
Official announcement: Please see the link for details –