Spring Framework Remote Code Execution Vulnerability (CVE-2022-22965)

Apr 01, 2022 GMT+08:00

I. Overview

On March 31, Spring officially announced a remote code execution vulnerability (CVE-2022-22965) in the Spring Framework environment running JDK 9 or higher. Attackers can exploit this vulnerability to enable arbitrary remote code execution. This vulnerability is easy to exploit. The POC/EXP of this vulnerability has been disclosed and the risk is high.

The Spring Framework is an open-source lightweight application framework developed for building complex web applications on top of the Java Enterprise Edition (EE) platform. If you are a Spring Framework user, check your system and implement timely security hardening.

Reference:

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

https://www.cnvd.org.cn/webinfo/show/7541?spm=a2c4g.11174386.n2.4.acfa4c072aP8GB

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Spring Framework 5.3.x < 5.3.18

Spring Framework 5.2.x < 5.2.20

Older versions may also be affected.

Secure versions:

Spring Framework 5.3.18

Spring Framework 5.2.20

In order to exploit the vulnerability, the following requirements must be met:

Spring framework or derived frameworks run on JDK 9 or higher.

According to the vulnerability report, the requirements for the attack scenarios are as follows. However, the nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.

1. JDK 9 or higher

2. Apache Tomcat as the Servlet container

3. Packaged as WAR

4. spring-webmvc or spring-webflux dependency

IV. Vulnerability Handling

Currently, secure versions have been released. You are advised to upgrade Spring Framework to a secure version.

https://github.com/spring-projects/spring-framework/tags

Huawei Cloud WAF can defend against known attacks that exploit this vulnerability. If you are a WAF user, set the basic web protection status to Block. For details, see Configuring Basic Web Protection Rules.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.