Two new Spring Framework vulnerabilities have surfaced over this last week, and both are considered critical.
The first of these is an unauthenticated Remote Code Execution (RCE) issue in the Spring Cloud Function and has been listed as a vulnerability with an identifier of CVE-2022-22963. The other is also an unauthenticated RCE issue, but this is in the core Spring Framework and with the identifier CVE-2022-22965. There are patches available for both issues as of March 31.
CVE-2022-22965 also known as Spring4Shell or SpringShell
Root cause analysis has determined that the issue is due to a function in the Spring Framework exposing the class object when parameters are bound. This parameter binding allows HTTP request parameters to be bound to application-level objects.
With the class object exposed, this leads to remote code execution by allowing attackers to manipulate the class object by simply adding URL parameters to an HTTP request. Proof of Concept exploits involve dropping a webshell on the Tomcat server by altering the log path and writing the webshell contents to a JSP file. Attackers can then issue arbitrary commands to be executed on the server. Since the Proof-of-concept exploit has been published, active exploitation has been observed in the wild.
CVE-2022-22965 has a severity of “Critical”, and therefore, a top priority of developers that use the Spring Framework should be upgrading to 5.3.18 or 5.2.20.
If you are not sure if your application is at risk, then the fastest way to identify if an application is vulnerable is through Software Composition Analysis techniques (SCA).
SCA will determine if an application contains the vulnerable version of the Spring Framework, as well as any other publicly known vulnerabilities.
If you need a tool for this kind of scanning, HCL AppScan on Cloud is available and contains capabilities for identifying these and other vulnerabilities.
Figure 1 below illustrates highlighting CVE-2022-22965 found in a spring-core jar file.
Figure 2 below shows part of an Open-Source Report containing specific vulnerability findings.
Current customers that own a license for OSA can select to scan for Open Source and third-party libraries. If you are not a current AppScan on Cloud customer, these SCA capabilities are also available in our free 30 day trial, as well.