Two new Spring Framework vulnerabilities have surfaced over this last week, and both are considered critical.

The first of these is an unauthenticated Remote Code Execution (RCE) issue in the Spring Cloud Function and has been listed as a vulnerability with an identifier of CVE-2022-22963. The other is also an unauthenticated RCE issue, but this is in the core Spring Framework and with the identifier CVE-2022-22965. There are patches available for both issues as of March 31.

CVE-2022-22965 also known as Spring4Shell or SpringShell

Root cause analysis has determined that the issue is due to a function in the Spring Framework exposing the class object when parameters are bound. This parameter binding allows HTTP request parameters to be bound to application-level objects.

With the class object exposed, this leads to remote code execution by allowing attackers to manipulate the class object by simply adding URL parameters to an HTTP request. Proof of Concept exploits involve dropping a webshell on the Tomcat server by altering the log path and writing the webshell contents to a JSP file. Attackers can then issue arbitrary commands to be executed on the server.  Since the Proof-of-concept exploit has been published, active exploitation has been observed in the wild.

CVE-2022-22965 has a severity of “Critical”, and therefore, a top priority of developers that use the Spring Framework should be upgrading to 5.3.18 or 5.2.20.

If you are not sure if your application is at risk, then the fastest way to identify if an application is vulnerable is through Software Composition Analysis techniques (SCA).

SCA will determine if an application contains the vulnerable version of the Spring Framework, as well as any other publicly known vulnerabilities.

If you need a tool for this kind of scanning, HCL AppScan on Cloud is available and contains capabilities for identifying these and other vulnerabilities.

Figure 1 below illustrates highlighting CVE-2022-22965 found in a spring-core jar file.


CVE-2022-22965 found in a spring-core jar file

Figure 2 below shows part of an Open-Source Report containing specific vulnerability findings.


Open-Source Report containing specific vulnerability findings


Current customers that own a license for OSA can select to scan for Open Source and third-party libraries.  If you are not a current AppScan on Cloud customer, these SCA capabilities are also available in our free 30 day trial, as well.


Comment wrap
Further Reading
Secure DevOps | June 24, 2022
Automatic Issue Correlation Now Part of HCL AppScan
There is no silver bullet that can solve the application security challenge. Each of the core technologies (IAST, DAST, and SAST) has strengths and weaknesses.Auto Issue Correlation allows us to leverage the strengths of each technology, while overcoming weaknesses with the advantages of the others. Furthermore, Auto Issue Correlation enhances your AST capabilities, improves your prioritization process and reduces remediation time and effort.
Secure DevOps | June 6, 2022
Guide To Reliable Application Security Testing Software
Looking for a secure solution for fast, accurate, and agile application security testing? You can come across reliable market-leading web application security testing facilities that quickly detect system vulnerabilities. Read the blog to know more.
Secure DevOps | May 20, 2022
New Vulnerability in Spring Framework Detected
A new vulnerability, dubbed SpringShell in Spring Framework, was recently discovered by the HCL AppScan team.SpringShell was given a CVE ID of CVE-2022-22965, and results in Remote Code Execution (RCE) upon successful exploitation, compromising the web server and putting it under the attacker's control. It affects Spring Framework versions 5.3.17/5.2.19 and lower (it was patched in versions 5.3.18/5.2.20).
Filters result by