2022-03-31

Spring Vulnerabilities

Level: 
  |  Source: 
LunaSec
Share:

Spring Vulnerabilities

Industry: N/A | Level: Tactical | Sources: LunaSec & Rapid7

Overview: Vulnerabilities affecting application framework Spring have been identified on March 29th, 2022. The most relevant involves Spring4Shell affecting Spring Core (CVE-2022-22965) and Spring Cloud Function (CVE-2022-22963), involving remote code execution. A third deserialization vulnerability has also been identified however currently lacks detail. The known vulnerabilities are listed below along with applicable detection content.Vulnerabilities

  • CVE-2022-22965/Spring4Shell: Remote code execution vulnerability impacting Spring Core versions 5.3.17 and older. The vulnerability as detailed by Spring "impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit." Requirements needed to exploit the vulnerability that includes:
  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
  • spring-webmvc or spring-webflux dependency
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
  • Anvilogic Detection: Spring4Shell - CVE-2022-22965
  • Patch: Spring having provided emergency updates under versions 5.3.18 and 5.2.20.
  • CVE-2022-22963: Remote code execution for Spring Cloud Function affecting versions 3.1.5, 3.2.2 and older. As described by VMW are “when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in access to local resources.”
  • Anvilogic Detection: Spring-Cloud-Function - CVE-2022-22963
  • Patch: Update to versions 3.1.7 and 3.2.3.
  • Unconfirmed Spring Core deserialization vulnerability Additional details needed, potential use case recommendation: AVL_UC5028 - Java Deserialization Exploit

Detection Use Cases:

  • Spring4Shell - CVE-2022-22965
  • Spring-Cloud-Function - CVE-2022-22963
  • [Potential Use Case] Java Deserialization Exploit

Chat with our team to receive a free maturity assessment

Get in Touch