Free Trial

Latest Spring Vulnerabilities Exploitation – CVE-2022-22965

Are you having a Spring MVC or Spring WebFlux application running on JDK version 9 or higher?

Then ensure that it is sufficiently protected. As it could possibly be attacked by remote code execution via data binding. This generally occurs when the application is run on tomcat in the format of a WAR deployment. If it is deployed in the default mode which is as the Spring boot executable jar then it would generally not be vulnerable.

This Critical vulnerability is identified as CVE-2022-22965 and was found during last week of March 2022

There seems to be other modes of exploitation which is yet to be figured out. The US Cybersecurity and infrastructure Agency, CISA on April 4, 2022 added the recently disclosed RCE vulnerability, to its Known Exploited Vulnerabilities Catalog.

Technically this CVE could be defined as a vulnerability that requires an endpoint with DataBinder enabled and is strongly dependent on the servlet container for the application. This vulnerability exists in the Spring Framework to bind data stored in the HTTP request to certain objects within an application. For this Exploitation The bug was found to be within the method ‘getCachedIntrospectionResults’ that was used for unauthorized access to objects by passing class names through HTTP requests.

This can lead to data leakage or remote code execution. This could not be just fixed by a class name check because in the new version of JDK 9 alternative methods are available for such exploits viz the Java 9 platform functionalities. This can facilitate an attacker to overwrite the Tomcat logging configuration and then upload a JSP web shell to execute arbitrary commands on a server running the vulnerable version of the framework.

The underlying requirements were the reasons for the exploit

  • Running on JDK version 9 or higher
  • Apache Tomcat is used as the Servlet container
  • Packaging as a traditional WAR and deploying in a standalone Tomcat instance makes it susceptible to exploitation
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions

Mitigation Steps

  • The Best option is to update to Spring Framework 5.3.18 and 5.2.20 or higher
  • If unable to upgrade, underlying workarounds can be handy
  • Upgrading to Tomcat
  • Downgrading to Java version 8
  • Disallowing certain Fields

Common Vulnerabilityies and Exposures

Prophaze-WAF as Service
Prophaze-WAF as Service

Contact us to get started

CVE-2024-22144 : ELI SCHEETZ ANTI-MALWARE SECURITY AND BRUTE-FORCE FIREWALL PLUGIN CODE INJECTION

CVE-2024-22144 : ELI SCHEETZ ANTI-MALWARE SECURITY AND BRUTE-FORCE FIREWALL PLUGIN CODE INJECTION

Description Improper Control of Generation of Code (‘Code Injection’) vulnerability in Eli Scheetz Anti-Malware Security and Brute-Force Firewall gotmls allows

Learn more
CVE-2024-26922 : LINUX KERNEL UP TO 6.9-RC4 AMDGPU PRIVILEGE ESCALATION

CVE-2024-26922 : LINUX KERNEL UP TO 6.9-RC4 AMDGPU PRIVILEGE ESCALATION

Description In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate the parameters of bo mapping operations more

Learn more
CVE-2024-21511 : MYSQL2 UP TO 3.9.6 READCODEFOR TIMEZONE CODE INJECTION

CVE-2024-21511 : MYSQL2 UP TO 3.9.6 READCODEFOR TIMEZONE CODE INJECTION

Description Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the

Learn more