Are you having a Spring MVC or Spring WebFlux application running on JDK version 9 or higher?
Then ensure that it is sufficiently protected. As it could possibly be attacked by remote code execution via data binding. This generally occurs when the application is run on tomcat in the format of a WAR deployment. If it is deployed in the default mode which is as the Spring boot executable jar then it would generally not be vulnerable.
This Critical vulnerability is identified as CVE-2022-22965 and was found during last week of March 2022
There seems to be other modes of exploitation which is yet to be figured out. The US Cybersecurity and infrastructure Agency, CISA on April 4, 2022 added the recently disclosed RCE vulnerability, to its Known Exploited Vulnerabilities Catalog.
Technically this CVE could be defined as a vulnerability that requires an endpoint with DataBinder enabled and is strongly dependent on the servlet container for the application. This vulnerability exists in the Spring Framework to bind data stored in the HTTP request to certain objects within an application. For this Exploitation The bug was found to be within the method ‘getCachedIntrospectionResults’ that was used for unauthorized access to objects by passing class names through HTTP requests.
This can lead to data leakage or remote code execution. This could not be just fixed by a class name check because in the new version of JDK 9 alternative methods are available for such exploits viz the Java 9 platform functionalities. This can facilitate an attacker to overwrite the Tomcat logging configuration and then upload a JSP web shell to execute arbitrary commands on a server running the vulnerable version of the framework.
The underlying requirements were the reasons for the exploit
- Running on JDK version 9 or higher
- Apache Tomcat is used as the Servlet container
- Packaging as a traditional WAR and deploying in a standalone Tomcat instance makes it susceptible to exploitation
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
Mitigation Steps
- The Best option is to update to Spring Framework 5.3.18 and 5.2.20 or higher
- If unable to upgrade, underlying workarounds can be handy
- Upgrading to Tomcat
- Downgrading to Java version 8
- Disallowing certain Fields
