Description
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.CVE-2022-22965 affects Spring MVC and Spring WebFlux applications running JDK versions 9 and later. A new feature was introduced in JDK version 9 that allows access to the ClassLoader from a Class. This vulnerability can be exploited for remote code execution (RCE). The vulnerability is caused by the getCachedIntrospectionResults method of the Spring framework wrongly exposing the class object when binding the parameters.
Timeline
- 3-31-2022 Identified
- 4-4-2022 Updated
CVE Record
- CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression
- CVE-2022-22965: Remote code execution in Spring Framework via Data Binding on JDK9+
- CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability
- CVE-2022-22950: Spring Expression DoS Vulnerability
Prerequisites for the exploit:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency
Mitigation
Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+. No other steps are necessary. There are other mitigation steps for applications that cannot upgrade to the above versions. Those are described in the early announcement blog post, listed under the Resources section.
CyAlly recommends clients patch as soon as patches become available. We have updated runbooks and policies for our clients.
- XDR/SOC Clients have new Event Dashboards created for “Sprint4Shell” views
- Cloudflare WAF Managed Rule “Spring – CVE:CVE-2022-22947” applied.
- Palo Alto Firewalls have IDS/IPS – Threat IDs 92393 and 92394 applied.
- SonicWall Firewalls have IDS/IPS Rules 2609, 13431, 13432, 13443, 13443 applied.
- CISCO Firewalls have IDS/IPS – Snort SIDs: 30790-30793, 59388, and 59416 applied.
Releases that have fixed this issue include:
Spring Framework
- 5.3.18+
- 5.2.20+
Affected Products and Versions (SEE CITE)
Severity is critical unless otherwise noted
- Spring Framework
- 5.3.0 to 5.3.17
- 5.2.0 to 5.2.19
- Older, unsupported versions are also affected
Credit
This vulnerability was responsibly reported to VMware by codeplutos, meizjm3i of AntGroup FG Security Lab. A secondary report was also received from Praetorian.
CITE
[RESEARCH]
https://packetstormsecurity.com/files/166219/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html
https://blog.cloudflare.com/waf-mitigations-spring4shell/
https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/#springshell-exploit
https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKCLOUD-2436645
https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
https://github.com/spring-cloud/spring-cloud-function/issues/840
[SPRING]
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
[CISCO]
https://blog.talosintelligence.com/2022/03/threat-advisory-spring4shell.html
[SONICWALL]
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
https://securitycenter.sonicwall.com/m/page/security-news
[PALO ALTO]
https://security.paloaltonetworks.com/CVE-2022-22963
https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/
[VMWARE]
https://www.vmware.com/security/advisories/VMSA-2022-0010.html
