This live blog contains information regarding Spring Framework vulnerabilities. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on April 8, 2022.
Update April 8, 2022
10:00 | As with the Log4J vulnerabilities, the NCSC has published a GitHub page with several overviews regarding the vulnerability in the Spring Framework. This overview is maintained in collaboration with various security companies.
The GitHub page contains the following topics:
- An overview of scripts/applications and advice to detect the presence or abuse of vulnerable implementations
- An overview of possibly affected software
- An overview of possibly affected services
Call to Action:
- Determine which applications are used within your organisation. Initially focus on applications that can be accessed directly from the internet, without going through an SSL VPN connection
- Determine what applications are vulnerable to the Spring4Shell vulnerability
- Several scan/check scripts are available that can help to identify vulnerable applications
- Install a patch or apply a workaround when available
Update March 31, 2022
17:00 | On the 31st of March, the Spring project has published an update regarding the “Spring4Shell” vulnerability which exists in the Spring Core Framework. A CVE-number is assigned to the vulnerability: CVE-2022-22965.
Additionally, patches for the vulnerability are now available. It is advised to update to Spring Framework version 5.3.18 or 5.2.20. All versions prior to 5.3.18 and 5.2.20 are vulnerable for CVE-2022-22965. In case patching is not an option, a suggested workaround is available in the original blog post of Spring.
10:00 | On the 29th of March, Spring Framework which is supported by VMWare published a patch (CVE-2022-22963) fixing a vulnerability in the routing functionality of the Spring Cloud Function. One or more unauthenticated remote code execution exploits have been published.
Additionally, a new zero-day vulnerability in Spring Core Framework has been publicly disclosed, named “Spring4Shell”. This vulnerability allows for unauthenticated remote code execution.
We advise to check if your products are vulnerable for CVE-2022-22963 and apply the required patch as soon as possible. Currently no patch is available for Spring4Shell. We advise to keep an eye out for patches and apply them as soon as they become available.
Reason and background of this blog
This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.
Potential risk
The vulnerability CVE-2022-22963 has a CVSS-score of 5.4. The advisory published by VMWare describes an unauthenticated attacker may get access to local resources by sending a specially crafted SpEL as routing-expression when using the routing functionality. However, this score may be incorrect, as unauthenticated remote code execution exploits have been published.
The vulnerability referred to as “Spring4Shell” has CVE-2022-22965 associated. The exploit of the vulnerability has several dependencies and requires multiple requests to achieve code execution. There are likely multiple ways to exploit the vulnerability, which lead to unauthenticated remote code execution. Multiple exploits in an early stage are being shared online.
Both vulnerabilities allow a remote unauthenticated attacker to directly construct malicious requests to trigger remote code execution. Proof-of-concept exploits are public disclosed, enabling attackers to further develop and improve the exploits.
Detail info
Both vulnerabilities allow a remote unauthenticated attacker to directly construct malicious requests to trigger remote code execution. Proof-of-concept exploits are public disclosed, enabling attackers to further develop and improve the exploits.
In the VMWare advisory for CVE-2022-22963 Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions are being described as affected.
The Spring4Shell vulnerability can only be exploited on systems running JDK 9 or higher. Which versions of the Spring Core Framework are affected, is currently unknown.
It is strong advised upgrading Spring Cloud Function to 3.1.7 or 3.2.3, patching vulnerability CVE-2022-22963.
Currently there is no patch available for Spring4Shell. However, as a work-around, it is advised to “patch” DataBinder by adding a blacklist of vulnerable field patterns required for exploitation. More information can be found in the write-up of LunaSec.
Background
More information:
- CVE-2022-22963
- Spring4Shell
- General
Subscribe
Do you want to be informed in time? Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.
Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.