A zero-day remote code execution (RCE) vulnerability (CVE-2022-22965) was found in VMware’s Spring Framework. The vulnerability was reported on Tuesday, March 29, 2022, and was confirmed by Spring today. According to Spring, the vulnerability severity is critical and affects Spring MVC and Spring WebFlux applications running on JDK 9+.
CVE-2022-22965 requires that the application run on Tomcat as a WAR deployment. The application can’t be exploited if it’s deployed as a Spring Boot executable jar, i.e., the default. However, according to Spring, the nature of the vulnerability is more general and there could be other ways for exploitation, which have not been reported yet. How do you know if you’re impacted? See the requirements below:
To address the issue, Spring released an emergency update for Spring Framework versions 5.3.18 and 5.2.20. Spring is a java-based software framework used by many enterprises. The vulnerability affects the following Spring Framework versions:
On March 30, the InfoSec community was confused about the vulnerability due to two reasons. The first reason is because CVE-2022-22965 is not the only Spring boot vulnerability that was discovered. CVE-2022-22963, which is also a zero-day RCE vulnerability, affects VMware’s Spring Cloud Function component. According to VMware, when using the routing functionality, it’s possible for an attacker to provide a specially crafted Spring Expression Language (SpEL) as a routing-expression, which could result in access to local resources. The vulnerability was likened to Log4Shell, but it isn’t nearly as dangerous. Spring has since released a patch for Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions.
The second reason there was confusion is because the proof of concept (PoC) for CVE-2022-22965 and the vulnerability itself is not exploitable with out-of-the-box installations of Spring. An attacker would need to use specific functionality to exploit it.
Because the CVE-2022-22965 is presently evolving, Avertium will continue to investigate and confirm information about the exploit as we receive it. If your organization could be affected by CVE-2022-22965, Spring recommends that you update to the latest versions as soon as possible. As the exploit evolves, follow their blog for updated information.
CVE-2022-22963At this time, there are no known IoCs for CVE-2022-22963. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium Service Delivery Manager or Account Executive.