HCL SW Blogs
Select Page

Two new Spring Framework vulnerabilities have surfaced over this last week, and both are considered critical.

The first of these is an unauthenticated Remote Code Execution (RCE) issue in the Spring Cloud Function and has been listed as a vulnerability with an identifier of CVE-2022-22963. The other is also an unauthenticated RCE issue, but this is in the core Spring Framework and with the identifier CVE-2022-22965. There are patches available for both issues as of March 31.

CVE-2022-22965 also known as Spring4Shell or SpringShell

Root cause analysis has determined that the issue is due to a function in the Spring Framework exposing the class object when parameters are bound. This parameter binding allows HTTP request parameters to be bound to application-level objects.

With the class object exposed, this leads to remote code execution by allowing attackers to manipulate the class object by simply adding URL parameters to an HTTP request. Proof of Concept exploits involve dropping a webshell on the Tomcat server by altering the log path and writing the webshell contents to a JSP file. Attackers can then issue arbitrary commands to be executed on the server.  Since the Proof-of-concept exploit has been published, active exploitation has been observed in the wild.

CVE-2022-22965 has a severity of “Critical”, and therefore, a top priority of developers that use the Spring Framework should be upgrading to 5.3.18 or 5.2.20.

If you are not sure if your application is at risk, then the fastest way to identify if an application is vulnerable is through Software Composition Analysis techniques (SCA).

SCA will determine if an application contains the vulnerable version of the Spring Framework, as well as any other publicly known vulnerabilities.

If you need a tool for this kind of scanning, HCL AppScan on Cloud is available and contains capabilities for identifying these and other vulnerabilities.

Figure 1 below illustrates highlighting CVE-2022-22965 found in a spring-core jar file.


CVE-2022-22965 found in a spring-core jar file

Figure 2 below shows part of an Open-Source Report containing specific vulnerability findings.


Open-Source Report containing specific vulnerability findings


Current customers that own a license for OSA can select to scan for Open Source and third-party libraries.  If you are not a current AppScan on Cloud customer, these SCA capabilities are also available in our free 30 day trial, as well.


Comment wrap
Further Reading
HCL AppScan Standard Reinvents the Configuration UI in Version 10.2.0
Secure DevOps | April 6, 2023
HCL AppScan Standard Reinvents the Configuration UI in Version 10.2.0
Chek out what's new with AppScan Standard, a DAST (Dynamic Application Security Testing) tool designed for security experts and pen-testers that automatically crawls target applications and APIs and tests them for vulnerabilities.
OWASP Global AppSec Dublin 2023
Secure DevOps | March 13, 2023
What you missed at OWASP Global AppSec Dublin 2023
See what you missed at OWASP Global AppSec Dublin 2023. HCLSoftware has the scoop.
Lunch n Learn
Secure DevOps | March 7, 2023
What You’ll Learn at AppScan’s March Lunch “N” Learn
Join us on March 14th, 2023 to talk with our experts as they give an overview of some our newest features.  
Filters result by