Action Needed: Critical Vulnerability in Spring Java framework
Threat: CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
UPDATE 4/8/2022: Trend Micro Threat Research today confirmed that this Spring4Shell vulnerability has been exploited by the Mirai botnet.
From the Spring advisory: “The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.” [emphasis added]
Although the announcement lists specific currently-known requirements for whether a specific installation is vulnerable, it goes on to say ” the nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.” Continue to monitor the situation no matter what specific Spring configuration you may use.LSPs need to do the following immediately:
- identity whether they support any server systems running the Spring Framework for Java
- mitigate the issue as described in the Spring advisory
Permanent mitigation:
-
Spring Framework 5.3.18 and 5.2.20, which contain the fixes, have been released
- Spring Boot 2.6.6 and 2.5.12 that depend on Spring Framework 5.3.18 have been released.
Temporary mitigation:
-
The Spring advisory contains a multistep workaround for those not able to install the patched versions, but warns that the workaround may leave some loopholes.
Printer-friendly version