Operating System:

[WIN][UNIX/Linux][MAC]

Published:

01 April 2022

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ASB-2022.0075 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2022.0075
           Spring Framework RCEs (CVE-2022-22963 CVE-2022-22965)
                               1 April 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Spring Boot
                  Spring Cloud
Operating System: UNIX variants (UNIX, Linux, OSX)
                  Windows
                  macOS
Resolution:       Patch/Upgrade
CVE Names:        CVE-2022-22965 CVE-2022-22963 

Comment: CVSS (Max):  9.8 CVE-2022-22965 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: VMware
         Calculator:  https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

OVERVIEW

        Spring Framework is vulnerable to two remote code execution flaws.
        
        (CVE-2022-22965) affects Spring Boot and requires non default settings 
        to be exploitable. CVE-2022-22965 affects the following Spring Boot 
        versions:[1]
         o 5.3.0 to 5.3.17
         o 5.2.0 to 5.2.19
         o Older, unsupported versions are also affected
        
        Also a remote code execution flaw (CVE-2022-22963) affects Spring Cloud 
        Function versions:[2]
         o 3.1.6
         o 3.2.2
        
        These two vulnerabilities have been revealed rapidly in succession 
        and are part of a large framework, Spring. This has lead to some confusion
        in their reporting including the terminology being used to describe them. 
        Sophos have prepared an informative posting comparing and contrasting the 
        vulnerabilities including detailed descriptions, clarifications and 
        recommendations. [3]


IMPACT

        Spring.io, the solution provider, has published the following 
        prerequisites for the successful exploit for CVE-2022-22965.
        
        "A Spring MVC or Spring WebFlux application running on JDK 9+ may be
        vulnerable to remote code execution (RCE) via data binding. The
        specific exploit requires the application to run on Tomcat as a WAR
        deployment. If the application is deployed as a Spring Boot
        executable jar, i.e. the default, it is not vulnerable to the
        exploit. However, the nature of the vulnerability is more general,
        and there may be other ways to exploit it.
        
        These are the prerequisites for the exploit:
        
         o JDK 9 or higher
         o Apache Tomcat as the Servlet container
         o Packaged as WAR
         o spring-webmvc or spring-webflux dependency"[1]
        
        The vulnerability (CVE-2022-22963) affecting Spring Cloud allows a user
        "to provide a specially crafted SpEL as a routing-expression that may 
        result in remote code execution and access to local resources"[2]


MITIGATION

        Spring.io, the solution provider has released patches for both 
        vulnerabilities.
        For CVE-2022-22965 the following versions of Spring Boot have available 
        patches:
         o Spring Boot 2.5.12[4]
         o Spring Boot 2.6.6 [5]
        
        Should it not be possible to patch or the version being used does not
        have a current patch Spring.io provide mitigation steps detailed in
        their publication.[1]
        
        For CVE-2022-22963 Spring Cloud have available patches and recommends to 
        upgrade to:[2]
         o 3.1.7
         o 3.2.3
        
        At the time of writing, CVE-2022-22965, currently has a CVSS3 rating of:
        9.8[6] CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H[7].
        
        When determining your susceptibility to these vulernabilities please be 
        aware that Spring Framework may be incorporated into other technologies
        and so may not readily be apparent in your environment.[8][9][10][11]
        
        For CVE-2022-22965 it is suggested that you contact your solution provider
        to verify if any technologies being used in your environment have the 
        vulnerable Spring Framework and if the condition exist for exploitation.
        
        Proof of concept exploit code is available on the internet and SANS spots
        exploit attempts for CVE-2022-22965 but are unsure if exploitation 
        attempts are successful.[6][12]
        
        Further readings can be found in media and cyber security researcher
        reports.[13][14][15][16][17]


REFERENCES

        [1] Spring Framework RCE, Early Announcement
            https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

        [2] Spring Boot 2.5.12 available now
            https://spring.io/blog/2022/03/31/spring-boot-2-5-12-available-now

        [3] Two different "VMware Spring" bugs at large – we cut through the
            confusion
            https://nakedsecurity.sophos.com/2022/03/31/two-different-vmware-spring-bugs-at-large-we-cut-through-the-confusion/

        [4] CVE-2022-22963: Remote code execution in Spring Cloud Function by
            malicious Spring Expression
            https://tanzu.vmware.com/security/cve-2022-22963

        [5] Spring Boot 2.6.6 available now
            https://spring.io/blog/2022/03/31/spring-boot-2-6-6-available-now

        [6] Spring Vulnerability Update - Exploitation Attempts CVE-2022-22965
            https://isc.sans.edu/forums/diary/Spring+Vulnerability+Update+Exploitation+Attempts+CVE202222965/28504/

        [7] CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
            https://tanzu.vmware.com/security/cve-2022-22965

        [8] Spring Framework RCE, CVE-2022-22965
            https://www.jenkins.io/blog/2022/03/31/spring-rce-CVE-2022-22965/

        [9] Security Advisory: Spring Framework Vulnerability (CVE-2022-22965)
            https://community.flexera.com/t5/Revenera-Company-News/Security-Advisory-Spring-Framework-Vulnerability-CVE-2022-22965/ba-p/229921/jump-to/first-unread-message

        [10] Spring4Shell Framework RCE vulnerability (CVE-2022-22965) update -
             March 31, 2022
             https://community.sailpoint.com/t5/Community-Announcements/Spring4Shell-Framework-RCE-vulnerability-CVE-2022-22965-update/ba-p/212914

        [11] Precisely Software - Spring4Shell - CVE-2022-22965
             https://customer.precisely.com/s/article/Precisely-Software-Spring4Shell?language=en_US

        [12] SANS spots Spring4shell vulnerability exploitation attempts
             https://www.itnews.com.au/news/sans-spots-spring4shell-vulnerability-exploitation-attempts-578164

        [13] Spring confirms 'Spring4Shell' zero-day, releases patched update
             https://therecord.media/spring-confirms-spring4shell-zero-day-releases-patched-update/

        [14] Spring4Shell (CVE-2022-22965) FAQ: Spring Framework Remote Code
             Execution Vulnerability
             https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability

        [15] Trustwave's Action Response: CVE-2022-22965 and CVE-2022-22963
             https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwaves-action-response-cve-2022-22965-and-cve-2022-22963/

        [16] Spring Framework Remote Code Execution (CVE-2022-22965)
             https://www.veracode.com/blog/security-news/spring-framework-remote-code-execution-cve-2022-22965

        [17] VMware Confirms Zero-Day Vulnerability in Spring Framework Dubbed
             'Spring4Shell'
             https://redmondmag.com/articles/2022/03/31/vmware-confirms-zero-day-vulnerability.aspx

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYkaFieNLKJtyKPYoAQhyjw/8C5QRWV9ifHX/QKSi9vQHr0e6gQtaBRI1
Rhydi4+0ZBt5ym6Nncv99IRMJ6+2lFlftWToZfDsp2LMzEvCwNEp4xkpqkzl4y3C
fpBmxf1w68fO0bTcpWub1qcSlmf++11bmlLUgDKXuTJAF2VIXKaYc/cl3FhPjqHA
DtjCeryIeaL+lVYtMyF0mV+zpXtLstcuIw9i0WqRrT0xy+iAYb7kyqGEhPMR1OZR
pWYg8LZWTSEstUqSg4LS9FomWuPLxoP2sax1iX6QI9tcXTh1gkTxRWRfjx8YsDdE
CV+Wtw4hplxfI5lzaDSBnlyw+n14fxaU2K2B5hI/n1OE4HhUMfYnA+J8U3WequXx
NIWbFdk4161o8LJndngAGKMfidG9OZ2TEsCTddwbYi2UgJB1P8jAUDuBJd1tkQao
h3gEd45GxV9PACNI583PqqiwCrhvRAZLnNisDvpi13nXqc4Re+wYT9GeMNPNHYO8
y7pRvJuXMPCoxavtlbQqbzqb7PrE3ynGonL0uSxAU9vygOLF+ieLR/Ew50Z4unT3
gsA8IfW8L3zbz7OXGg82VVD4bTONwAJcQgPL1TXloYLybm/N6ZkrZZRoaSCy+HqY
d9ndXODXQd8ZgvdJFssMor8LMCW8qWOFmKaB5+jXI4Uc2yO0Zy5pnH0fM4MzUT1n
2Ryr/sBXuRo=
=cmFw
-----END PGP SIGNATURE-----