Latest Spring Vulnerabilities Exploitation – CVE-2022-22965

Are you having a Spring MVC or Spring WebFlux application running on JDK version 9 or higher?

Then ensure that it is sufficiently protected. As it could possibly be attacked by remote code execution via data binding. This generally occurs when the application is run on tomcat in the format of a WAR deployment. If it is deployed in the default mode which is as the Spring boot executable jar then it would generally not be vulnerable.

This Critical vulnerability is identified as CVE-2022-22965 and was found during last week of March 2022

There seems to be other modes of exploitation which is yet to be figured out. The US Cybersecurity and infrastructure Agency, CISA on April 4, 2022 added the recently disclosed RCE vulnerability, to its Known Exploited Vulnerabilities Catalog.

Technically this CVE could be defined as a vulnerability that requires an endpoint with DataBinder enabled and is strongly dependent on the servlet container for the application. This vulnerability exists in the Spring Framework to bind data stored in the HTTP request to certain objects within an application. For this Exploitation The bug was found to be within the method ‘getCachedIntrospectionResults’ that was used for unauthorized access to objects by passing class names through HTTP requests.

This can lead to data leakage or remote code execution. This could not be just fixed by a class name check because in the new version of JDK 9 alternative methods are available for such exploits viz the Java 9 platform functionalities. This can facilitate an attacker to overwrite the Tomcat logging configuration and then upload a JSP web shell to execute arbitrary commands on a server running the vulnerable version of the framework.

The underlying requirements were the reasons for the exploit

  • Running on JDK version 9 or higher
  • Apache Tomcat is used as the Servlet container
  • Packaging as a traditional WAR and deploying in a standalone Tomcat instance makes it susceptible to exploitation
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions

Mitigation Steps

  • The Best option is to update to Spring Framework 5.3.18 and 5.2.20 or higher
  • If unable to upgrade, underlying workarounds can be handy
  • Upgrading to Tomcat
  • Downgrading to Java version 8
  • Disallowing certain Fields

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2022-44400 : ORETNOM23 PURCHASE ORDER MANAGEMENT SYSTEM 1.0 UNRESTRICTED UPLOAD

CVE-2022-44400 : ORETNOM23 PURCHASE ORDER MANAGEMENT SYSTEM 1.0 UNRESTRICTED UPLOAD

Description Purchase Order Management System v1.0 contains a file upload vulnerability via /purchase_order/admin/?page=system_info. References https://github.com/lcg-22266/bug_report/blob/main/vendors/oretnom23/Purchase%20Order%20Management%20System/UPLOAD-1.md For More Information MITRE

CVE-2022-45919 : LINUX KERNEL UP TO 6.0.10/0221.C DVB_CA_EN50221.C DVB_CA_EN50221_IO_RELEASE USE AFTER FREE

CVE-2022-45919 : LINUX KERNEL UP TO 6.0.10/0221.C DVB_CA_EN50221.C DVB_CA_EN50221_IO_RELEASE USE AFTER FREE

Description An issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is

CVE-2022-41157 : KYUNGRINARA ERP SOLUTION SERP SERVER HARD-CODED CREDENTIALS

CVE-2022-41157 : KYUNGRINARA ERP SOLUTION SERP SERVER HARD-CODED CREDENTIALS

Description A specific file on the sERP server if Kyungrinara(ERP solution) has a fixed password with the SYSTEM authority. This