A pair of critical remote code execution vulnerabilities impacting Spring were disclosed this week, raising fears that the security world and beyond could face a repeat of December’s “Log4Shell” chaos.
Thus far, those concerns haven’t been realized. Although both CVE-2022-22965 and CVE-2022-22963 are RCE vulnerabilities, they differ from Log4Shell in that they don’t affect nearly as many configurations. For example, Spring4Shell only impacts projects with a very specific non-default deployment configuration that use a very specific part of Spring.
However, the vulnerabilities are serious, and it’s still important for organizations to be mindful of their impact.
The first vulnerability to be published was CVE-2022-22963, which impacts the Spring Cloud Function. CVE-2022-22963 was published on Tuesday, March 29, and is considered critical.
The other was CVE-2022-22965, which impacts the Spring Framework. CVE-2022-22965 was published on Thursday, March 31 and is also considered critical.
Spring Cloud Function and the Spring Framework are both open source, and both are maintained by VMWare.
CVE-2022-22965: Spring Framework Remote Code Execution
CVE-2022-22965, Spring4Shell, has the potential to impact Spring MVC or Spring WebFlux applications running on JDK 9 or higher (via data binding). The Spring Framework supports application development in Java.
Per the official Spring blog announcement:
“The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.”
In addition to the above requirements (JDK 9 or higher, Apache Tomcat as the Servlet container, packaged as a traditional WAR), only Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older are impacted.
If you are uncertain whether your application is vulnerable to Spring4Shell, we recommend running a scan in FOSSA.
If you are affected, you have several mitigation options. The simplest is to upgrade to a safe, supported version of the Spring Framework:
(VMWare suggests that 5.3.x users upgrade to 5.3.18+ and 5.2.x users upgrade to 5.2.20+.)
If you are unable to upgrade to one of these versions, upgrading to Apache Tomcat 10.0.20, 9.0.62, or 8.5.78 is also an option. However, the Spring blog cautions that “this should be seen as a tactical solution, and the main goal should be to upgrade to a currently supported Spring Framework version as soon as possible.”
If you are unable to upgrade a vulnerable version of the Spring Framework or Apache Tomcat, Spring suggests users consider setting
WebDataBinder globally. For additional context on this workaround, including potential loopholes, we highly recommend you view Spring's blog.
CVE-2022-22963: Spring Cloud Function Remote Code Execution
On its website, Spring Cloud Function is described as a program that enables users to “abstract away all of the transport details and infrastructure, allowing the developer to keep all the familiar tools and processes, and focus firmly on business logic.”
Per VMWare, CVE 2022-22963 impacts Spring Cloud Function versions 3.1.6, 3.2.3, and older unsupported versions.
With this vulnerability, it’s possible for someone to “provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.”
As is the case with CVE-2022-22965, you’ll first want to confirm whether your application is vulnerable to this CVE. You can do this by scanning your project in FOSSA.
If your application is vulnerable, it’s recommended that you upgrade to Spring Cloud Function 3.1.7 or 3.2.3.
Editor’s Note: The information in this blog is current as of Friday, April 1. We will provide additional information and updates if and when they become available. If you are a current FOSSA customer and have questions about mitigation, please feel free to reach out to your customer support contact.