MARCH 31, 2022 23:35 GMT
A zero-day remote code execution vulnerability (CVE-2022-22965) has been discovered in the Spring Core module of the Spring Framework for Java application development after POC code was prematurely released by a researcher. Administrators are urged to update Spring Framework to the fixed version or perform a workaround to mitigate risk.
It should be noted that this is a critical vulnerability not to be confused with another Spring vulnerability (CVE-2022-22963) from the day prior. That vulnerability affects Spring Cloud Function, not Spring Framework.
The situation is evolving and updates will be appended to the top of this advisory.
The Spring Framework is developed by Spring, a subsidiary of VMWare. It is a Java application framework that allows rapid development and deployment of enterprise applications structured for modern cloud and microservice architectures. It is packaged with several VMWare products to complement their virtualization/containerization model.
On March 30, 2022, a Chinese-speaking researcher published a GitHub commit that contained proof-of-concept exploit code targeting a zero-day vulnerability in the Spring Core module of the Spring Framework. The commit has since been deleted, presumably because it was considered irresponsible to release vulnerability specifics prior to allowing Spring adequate time to publish a fix.
The exploit has been dubbed Spring4Shell in an unavoidable comparison to the other most recent Java library vulnerability: Log4Shell.
There is little in the way of published technical detail at the time of this writing. VMWare states that the vulnerability is a RCE via data binding which requires the application to run on Tomcat as a WAR deployment.
If the application is deployed as a Spring Boot executable JAR, which is the default, it is not vulnerable to the exploit. However, the nature of the vulnerability itself is very general and potentially susceptible to other similar exploits.
From Rapid7 research, “The vulnerability appears to affect functions that use the
@RequestMapping annotation and POJO (Plain Old Java Object) parameters.” It then demonstrates how a web shell can be dropped via a single Curl request.
Which versions are vulnerable?
In the case of Spring4Shell, vulnerability depends on configuration and some specific conditions. The known risk varies according to information found on the Rapid7 blog post.
Prerequisites for the exploit:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
Combinations of varying vulnerability:
- Unpatched Spring (prior to 5.2.20) AND JDK 9+ = Maybe vulnerable.
- Unpatched Spring AND JDK 9+ AND Are using @request Mapping annotation AND Pojo perams = Definitely vulnerable.
- Unpatched Spring AND JDK 9+ AND Are using @request Mapping annotation AND Pojo perams AND running Apache Tomcat = Highly Vulnerable with POCs available.
How to fix?
For some environments, upgrade may not be trivial, so there are some workarounds detailed in the official Spring advisory.
See the Spring early advisory section “Suggested Workarounds” to find some ways to mitigate attacks that would leverage this bug. They require adding additional controller functions to sanitize inputs containing certain fields.
Multiple Spring CVEs
There are three CVEs published in the last 3 days—two critical and one medium.
- Spring Cloud Function CRITICAL
- Spring Framework RCE CRITICAL THIS ADVISORY
- Spring Expression DoS Vulnerability MEDIUM
- Spring.io advisory
- Spring4Shell: Zero-Day Vulnerability in Spring Framework
- VMWare advisory CVE-2022-22965