Two new Spring Framework vulnerabilities have surfaced over this last week, and both are considered critical.

The first of these is an unauthenticated Remote Code Execution (RCE) issue in the Spring Cloud Function and has been listed as a vulnerability with an identifier of CVE-2022-22963. The other is also an unauthenticated RCE issue, but this is in the core Spring Framework and with the identifier CVE-2022-22965. There are patches available for both issues as of March 31.

CVE-2022-22965 also known as Spring4Shell or SpringShell

Root cause analysis has determined that the issue is due to a function in the Spring Framework exposing the class object when parameters are bound. This parameter binding allows HTTP request parameters to be bound to application-level objects.

With the class object exposed, this leads to remote code execution by allowing attackers to manipulate the class object by simply adding URL parameters to an HTTP request. Proof of Concept exploits involve dropping a webshell on the Tomcat server by altering the log path and writing the webshell contents to a JSP file. Attackers can then issue arbitrary commands to be executed on the server.  Since the Proof-of-concept exploit has been published, active exploitation has been observed in the wild.

CVE-2022-22965 has a severity of “Critical”, and therefore, a top priority of developers that use the Spring Framework should be upgrading to 5.3.18 or 5.2.20.

If you are not sure if your application is at risk, then the fastest way to identify if an application is vulnerable is through Software Composition Analysis techniques (SCA).

SCA will determine if an application contains the vulnerable version of the Spring Framework, as well as any other publicly known vulnerabilities.

If you need a tool for this kind of scanning, HCL AppScan on Cloud is available and contains capabilities for identifying these and other vulnerabilities.

Figure 1 below illustrates highlighting CVE-2022-22965 found in a spring-core jar file.


CVE-2022-22965 found in a spring-core jar file

Figure 2 below shows part of an Open-Source Report containing specific vulnerability findings.


Open-Source Report containing specific vulnerability findings


Current customers that own a license for OSA can select to scan for Open Source and third-party libraries.  If you are not a current AppScan on Cloud customer, these SCA capabilities are also available in our free 30 day trial, as well.


Comment wrap
Further Reading
Secure DevOps | November 9, 2022
HCL AppScan Source SAST + ASoC SAST Innovation Workshop – What You’ll Learn
Join us on November 10th to see how HCL AppScan on Cloud delivers a suite of security testing tools, including static, dynamic.
Secure DevOps | September 26, 2022
Prioritizing the Fix with HCL AppScan and Auto Correlation
When testing web applications, it's crucial to prioritize the fixing process and time required to fix issues. Learn how AppScan is the industry leader in app security testing
Secure DevOps | June 24, 2022
Automatic Issue Correlation Now Part of HCL AppScan
Automatic Issue Correlation enhances your AST capabilities, improves your prioritization process, and reduces remediation time and effort.
Filters result by