Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0075 Spring Framework RCEs (CVE-2022-22963 CVE-2022-22965) 1 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Spring Boot Spring Cloud Operating System: UNIX variants (UNIX, Linux, OSX) Windows macOS Resolution: Patch/Upgrade CVE Names: CVE-2022-22965 CVE-2022-22963 Comment: CVSS (Max): 9.8 CVE-2022-22965 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: VMware Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H OVERVIEW Spring Framework is vulnerable to two remote code execution flaws. (CVE-2022-22965) affects Spring Boot and requires non default settings to be exploitable. CVE-2022-22965 affects the following Spring Boot versions:[1] o 5.3.0 to 5.3.17 o 5.2.0 to 5.2.19 o Older, unsupported versions are also affected Also a remote code execution flaw (CVE-2022-22963) affects Spring Cloud Function versions:[2] o 3.1.6 o 3.2.2 These two vulnerabilities have been revealed rapidly in succession and are part of a large framework, Spring. This has lead to some confusion in their reporting including the terminology being used to describe them. Sophos have prepared an informative posting comparing and contrasting the vulnerabilities including detailed descriptions, clarifications and recommendations. [3] IMPACT Spring.io, the solution provider, has published the following prerequisites for the successful exploit for CVE-2022-22965. "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. These are the prerequisites for the exploit: o JDK 9 or higher o Apache Tomcat as the Servlet container o Packaged as WAR o spring-webmvc or spring-webflux dependency"[1] The vulnerability (CVE-2022-22963) affecting Spring Cloud allows a user "to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources"[2] MITIGATION Spring.io, the solution provider has released patches for both vulnerabilities. For CVE-2022-22965 the following versions of Spring Boot have available patches: o Spring Boot 2.5.12[4] o Spring Boot 2.6.6 [5] Should it not be possible to patch or the version being used does not have a current patch Spring.io provide mitigation steps detailed in their publication.[1] For CVE-2022-22963 Spring Cloud have available patches and recommends to upgrade to:[2] o 3.1.7 o 3.2.3 At the time of writing, CVE-2022-22965, currently has a CVSS3 rating of: 9.8[6] CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H[7]. When determining your susceptibility to these vulernabilities please be aware that Spring Framework may be incorporated into other technologies and so may not readily be apparent in your environment.[8][9][10][11] For CVE-2022-22965 it is suggested that you contact your solution provider to verify if any technologies being used in your environment have the vulnerable Spring Framework and if the condition exist for exploitation. Proof of concept exploit code is available on the internet and SANS spots exploit attempts for CVE-2022-22965 but are unsure if exploitation attempts are successful.[6][12] Further readings can be found in media and cyber security researcher reports.[13][14][15][16][17] REFERENCES [1] Spring Framework RCE, Early Announcement https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement [2] Spring Boot 2.5.12 available now https://spring.io/blog/2022/03/31/spring-boot-2-5-12-available-now [3] Two different "VMware Spring" bugs at large – we cut through the confusion https://nakedsecurity.sophos.com/2022/03/31/two-different-vmware-spring-bugs-at-large-we-cut-through-the-confusion/ [4] CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression https://tanzu.vmware.com/security/cve-2022-22963 [5] Spring Boot 2.6.6 available now https://spring.io/blog/2022/03/31/spring-boot-2-6-6-available-now [6] Spring Vulnerability Update - Exploitation Attempts CVE-2022-22965 https://isc.sans.edu/forums/diary/Spring+Vulnerability+Update+Exploitation+Attempts+CVE202222965/28504/ [7] CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ https://tanzu.vmware.com/security/cve-2022-22965 [8] Spring Framework RCE, CVE-2022-22965 https://www.jenkins.io/blog/2022/03/31/spring-rce-CVE-2022-22965/ [9] Security Advisory: Spring Framework Vulnerability (CVE-2022-22965) https://community.flexera.com/t5/Revenera-Company-News/Security-Advisory-Spring-Framework-Vulnerability-CVE-2022-22965/ba-p/229921/jump-to/first-unread-message [10] Spring4Shell Framework RCE vulnerability (CVE-2022-22965) update - March 31, 2022 https://community.sailpoint.com/t5/Community-Announcements/Spring4Shell-Framework-RCE-vulnerability-CVE-2022-22965-update/ba-p/212914 [11] Precisely Software - Spring4Shell - CVE-2022-22965 https://customer.precisely.com/s/article/Precisely-Software-Spring4Shell?language=en_US [12] SANS spots Spring4shell vulnerability exploitation attempts https://www.itnews.com.au/news/sans-spots-spring4shell-vulnerability-exploitation-attempts-578164 [13] Spring confirms 'Spring4Shell' zero-day, releases patched update https://therecord.media/spring-confirms-spring4shell-zero-day-releases-patched-update/ [14] Spring4Shell (CVE-2022-22965) FAQ: Spring Framework Remote Code Execution Vulnerability https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability [15] Trustwave's Action Response: CVE-2022-22965 and CVE-2022-22963 https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwaves-action-response-cve-2022-22965-and-cve-2022-22963/ [16] Spring Framework Remote Code Execution (CVE-2022-22965) https://www.veracode.com/blog/security-news/spring-framework-remote-code-execution-cve-2022-22965 [17] VMware Confirms Zero-Day Vulnerability in Spring Framework Dubbed 'Spring4Shell' https://redmondmag.com/articles/2022/03/31/vmware-confirms-zero-day-vulnerability.aspx AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYkaFieNLKJtyKPYoAQhyjw/8C5QRWV9ifHX/QKSi9vQHr0e6gQtaBRI1 Rhydi4+0ZBt5ym6Nncv99IRMJ6+2lFlftWToZfDsp2LMzEvCwNEp4xkpqkzl4y3C fpBmxf1w68fO0bTcpWub1qcSlmf++11bmlLUgDKXuTJAF2VIXKaYc/cl3FhPjqHA DtjCeryIeaL+lVYtMyF0mV+zpXtLstcuIw9i0WqRrT0xy+iAYb7kyqGEhPMR1OZR pWYg8LZWTSEstUqSg4LS9FomWuPLxoP2sax1iX6QI9tcXTh1gkTxRWRfjx8YsDdE CV+Wtw4hplxfI5lzaDSBnlyw+n14fxaU2K2B5hI/n1OE4HhUMfYnA+J8U3WequXx NIWbFdk4161o8LJndngAGKMfidG9OZ2TEsCTddwbYi2UgJB1P8jAUDuBJd1tkQao h3gEd45GxV9PACNI583PqqiwCrhvRAZLnNisDvpi13nXqc4Re+wYT9GeMNPNHYO8 y7pRvJuXMPCoxavtlbQqbzqb7PrE3ynGonL0uSxAU9vygOLF+ieLR/Ew50Z4unT3 gsA8IfW8L3zbz7OXGg82VVD4bTONwAJcQgPL1TXloYLybm/N6ZkrZZRoaSCy+HqY d9ndXODXQd8ZgvdJFssMor8LMCW8qWOFmKaB5+jXI4Uc2yO0Zy5pnH0fM4MzUT1n 2Ryr/sBXuRo= =cmFw -----END PGP SIGNATURE-----