Vulnerability

Spring Framework vulnerabilities

This live blog contains information regarding Spring Framework vulnerabilities. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on April 8, 2022.

T-Update

Information about vulnerabilities

This live blog contains information regarding Spring Framework vulnerabilities. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on April 8, 2022.

Update April 8, 2022

10:00 | As with the Log4J vulnerabilities, the NCSC has published a GitHub page with several overviews regarding the vulnerability in the Spring Framework. This overview is maintained in collaboration with various security companies.

The GitHub page contains the following topics:

Call to Action:

  • Determine which applications are used within your organisation. Initially focus on applications that can be accessed directly from the internet, without going through an SSL VPN connection
  • Determine what applications are vulnerable to the Spring4Shell vulnerability
    • Several scan/check scripts are available that can help to identify vulnerable applications
  • Install a patch or apply a workaround when available

Update March 31, 2022

17:00 | On the 31st of March, the Spring project has published an update regarding the “Spring4Shell” vulnerability which exists in the Spring Core Framework. A CVE-number is assigned to the vulnerability: CVE-2022-22965.

Additionally, patches for the vulnerability are now available. It is advised to update to Spring Framework version 5.3.18 or 5.2.20. All versions prior to 5.3.18 and 5.2.20 are vulnerable for CVE-2022-22965. In case patching is not an option, a suggested workaround is available in the original blog post of Spring.

10:00 | On the 29th of March, Spring Framework which is supported by VMWare published a patch (CVE-2022-22963) fixing a vulnerability in the routing functionality of the Spring Cloud Function. One or more unauthenticated remote code execution exploits have been published.

Additionally, a new zero-day vulnerability in Spring Core Framework has been publicly disclosed, named “Spring4Shell”. This vulnerability allows for unauthenticated remote code execution.

We advise to check if your products are vulnerable for CVE-2022-22963 and apply the required patch as soon as possible. Currently no patch is available for Spring4Shell. We advise to keep an eye out for patches and apply them as soon as they become available.

Customized cyber security

Background

The vulnerability CVE-2022-22963 has a CVSS-score of 5.4. The advisory published by VMWare describes an unauthenticated attacker may get access to local resources by sending a specially crafted SpEL as routing-expression when using the routing functionality. However, this score may be incorrect, as unauthenticated remote code execution exploits have been published. The vulnerability referred to as “Spring4Shell” has CVE-2022-22965 associated. The exploit of the vulnerability has several dependencies and requires multiple requests to achieve code execution. There are likely multiple ways to exploit the vulnerability, which lead to unauthenticated remote code execution. Multiple exploits in an early stage are being shared online. Both vulnerabilities allow a remote unauthenticated attacker to directly construct malicious requests to trigger remote code execution. Proof-of-concept exploits are public disclosed, enabling attackers to further develop and improve the exploits.

Risk

Both vulnerabilities allow a remote unauthenticated attacker to directly construct malicious requests to trigger remote code execution. Proof-of-concept exploits are public disclosed, enabling attackers to further develop and improve the exploits.

In the VMWare advisory for CVE-2022-22963 Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions are being described as affected.

The Spring4Shell vulnerability can only be exploited on systems running JDK 9 or higher. Which versions of the Spring Core Framework are affected, is currently unknown.

It is strong advised upgrading Spring Cloud Function to 3.1.7 or 3.2.3, patching vulnerability CVE-2022-22963.
Currently there is no patch available for Spring4Shell. However, as a work-around, it is advised to “patch” DataBinder by adding a blacklist of vulnerable field patterns required for exploitation. More information can be found in the write-up of LunaSec.

Advice

Sign up to receive T-Updates

Receive the latest vulnerabilities in your email every Wednesday

More than 1,000 organisations have already joined us.

Tesorion uses your data to send the requested information. In addition, your data may be used for commercial follow-up. You can unsubscribe from this at any time via the link in the email. For more information, read our privacy policy.