Description:
Spring has released a security advisory to address multiple remote code execution vulnerabilities in Spring Framework. A remote attacker could send a specially crafted request to exploit the vulnerabilities.
Reports indicate that a remote code execution vulnerability (CVE-2022-22963) in Spring Cloud Function is being actively exploited and a separate remote code execution vulnerability (CVE-2022-22965) in Spring Framework is also at high risk of exploitation. System administrators are advised to take immediate actions to patch your affected systems to mitigate the elevated risk of cyber attacks.
Affected Systems:
- Spring Cloud Function with version prior to 3.1.7 or 3.2.3
- Spring Framework with version prior to 5.3.18 or 5.2.20 and meeting the below conditions:
- Running on Java Development Kit (JDK) version 9 or later
- Using Apache Tomcat as the Servlet container
- Packaged as Web application ARchive (WAR) files
- Using spring-webmvc or spring-webflux dependency
According to the information provided, there may be other ways to exploit the vulnerability CVE-2022-22965 that have not been reported. System administrators should refer to the latest information from Spring to identify the affected systems.
Impact:
Successful exploitation of the vulnerabilities could lead to remote code execution on the affected system.
Recommendation:
Spring has released new versions of affected products to address the issue. The details can be found at:
- https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function
- https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
If the patch cannot be applied immediately for the vulnerability CVE-2022-22965, administrators of affected systems should follow the recommendations and take immediate actions to deny the vulnerable field patterns “{"class.*", "Class.*", "*.class.*", "*.Class.*"}”:
- Option 1:
- If a web application firewall (WAF) is available, implement detection rulesets to block malicious attempts by field patterns.
- Option 2:
- Deny the vulnerable field pattern by setting “DisallowedFields” under “dataBinder”. Detailed steps to implement the measures could be found at the following URL:
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
- Please note that recompilation is required to take effect. Administrators should properly verify the functionality before actual deployment.
More Information:
- https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function
- https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
- https://www.csa.gov.sg/en/singcert/Alerts/al-2022-016
- https://www.cyber.gov.au/acsc/view-all-content/alerts/multiple-vulnerabilities-present-spring-framework-java
- https://www.hkcert.org/security-bulletin/spring-framework-remote-code-execution-vulnerability_20220401
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965