Overview of cve-2022-22965

A zero-day remote code execution (RCE) vulnerability (CVE-2022-22965) was found in VMware’s Spring Framework. The vulnerability was reported on Tuesday, March 29, 2022, and was confirmed by Spring today. According to Spring, the vulnerability severity is critical and affects Spring MVC and Spring WebFlux applications running on JDK 9+.   

CVE-2022-22965 requires that the application run on Tomcat as a WAR deployment. The application can’t be exploited if it’s deployed as a Spring Boot executable jar, i.e., the default. However, according to Spring, the nature of the vulnerability is more general and there could be other ways for exploitation, which have not been reported yet. How do you know if you’re impacted? See the requirements below:  

  • JDK 9 or higher 
  • Apache Tomcat as the Servlet container 
  • Packaged as a traditional WAR (in contrast to a Spring Boot executable jar) 
  • spring-webmvc or spring-webflux dependency 
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions 

To address the issue, Spring released an emergency update for Spring Framework versions 5.3.18 and 5.2.20. Spring is a java-based software framework used by many enterprises. The vulnerability affects the following Spring Framework versions:  

  • 5.3.0 to 5.3.17 
  • 5.2.0 to 5.2.19 
  • Older, unsupported versions are also affected 

On March 30, the InfoSec community was confused about the vulnerability due to two reasons. The first reason is because CVE-2022-22965 is not the only Spring vulnerability that was discovered. CVE-2022-22963, which is also a zero-day RCE vulnerability, affects VMware’s Spring Cloud Function component. According to VMware, when using the routing functionality, it’s possible for an attacker to provide a specially crafted Spring Expression Language (SpEL) as a routing-expression, which could result in access to local resources. The vulnerability was likened to Log4Shell, but it isn’t nearly as dangerous. Spring has since released a patch for Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions.  

The second reason there was confusion is because the proof of concept (PoC) for CVE-2022-22965 and the vulnerability itself is not exploitable with out-of-the-box installations of Spring. An attacker would need to use specific functionality to exploit it.  

Because the CVE-2022-22965 is presently evolving, Avertium will continue to investigate and confirm information about the exploit as we receive it.  If your organization could be affected by CVE-2022-22965, Spring recommends that you update to the latest versions as soon as possible. As the exploit evolves, follow their blog for updated information.  

 
 
 

How Avertium is Protecting Our Customers:

  • We offer EDR endpoint protection through SentinelOne, Sophos, and Microsoft Defender.  
  • SentinelOne prevents threats and extends protection from the endpoint to beyond. Find threats and eliminate blind spots with autonomous, real time, index-free threat ingestion and analysis that supports structured, unstructured, and semi-structured data.  
  • MDR provides an in-depth investigation into potential threats on an organization’s network. Avertium’s risk-based approach to managed security delivers the right combination of technology, field-validated threat intelligence, and resource empowerment to reduce complexity, streamline operations, and enhance cybersecurity resilience. If you need a more advanced security solution, MDR is the next step. 
  • Avertium recommends utilizing our service for DFIR (Digital Forensics and Incident Response) to help you rapidly assess, contain, eradicate, and recover from a security attack. 





Avertium's recommendations

CVE-2022-22965 

  • Please upgrade to Spring Framework versions 5.3.18 and 5.2.20 as soon as possible. 
  • Take inventory of installations to make sure your organization has not been compromised. 

CVE-2022-22963 

  • Please upgrade to Spring Cloud Function versions 3.1.7 and 3.2.3 as soon as possible.  
  • Take inventory of installations to make sure your organization has not been compromised. 




 

INDICATOR'S OF COMPROMISE (IOCS):

CVE-2022-22965 

  • This type of file, which may be found in the application’s directory, could be used as an indicator of compromise:
  FN
  •  
  • A typical request for the web shell will look like this:  
    • GET /tomcatwar.jsp?pwd=j&cmd=cat%20/etc/passwd 
  •  
  • IP Addresses 
    • 149.28.147[.15] 
    • 103.214.146[.5] 
    • 158.247.202[.6] 
  •  
  • File name 
    • wpz[.jsp] 
  •  

CVE-2022-22963 

At this time, there are no known IoCs for CVE-2022-22963. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium Service Delivery Manager or Account Executive.   

 

 

Supporting documentation

Spring Framework RCE, Early Announcement  

CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ | Security | VMware Tanzu 

CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression | Security | VMware Tanzu 

Spring Vulnerability Update – Exploitation Attempts CVE-2022-22965, (Thu, Mar 31st) | Iron Castle Systems 

Spring4Shell: Zero-Day Vulnerability in Spring Framework | Rapid7 Blog 

Bug Alert – Advanced warning: possible remote code execution (RCE) in Spring, an extremely popular Java framework 

 

Related Reading:

How to Detect Ransomware: Best Practices for Avoiding Malware Attacks

 

Contact us for more information about Avertium’s managed security service capabilities.