Security Patch Releases for Critical Zero-Day Bug in Java Spring Framework

Java Spring Framework

The maintainers of Spring Framework have released an emergency
patch to address a newly disclosed remote code execution flaw[1] that, if successfully
exploited, could allow an unauthenticated attacker to take control
of a targeted system.

Tracked as CVE-2022-22965[2], the high-severity flaw
impacts Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19,
and other older, unsupported versions. Users are recommended to
upgrade to versions 5.3.18 or later and 5.2.20 or later.

CyberSecurity

The Spring Framework is a Java framework that offers
infrastructure support to develop web applications.

“The vulnerability impacts Spring MVC[3]
[model–view–controller] and Spring WebFlux applications running on
[Java Development Kit] 9+,” Rossen Stoyanchev of Spring.io said[4]
in an advisory published Thursday.

“The specific exploit requires the application to run on Tomcat
as a WAR deployment. If the application is deployed as a Spring
Boot executable jar, i.e., the default, it is not vulnerable to the
exploit. However, the nature of the vulnerability is more general,
and there may be other ways to exploit it,” Stoyanchev added.

“Exploitation requires an endpoint with DataBinder enabled
(e.g., a POST request that decodes data from the request body
automatically) and depends heavily on the servlet container for the
application,” Praetorian researchers Anthony Weems and Dallas Kaman
said[5].

CyberSecurity

That said, Spring.io warned that the “nature of the
vulnerability is more general” and that there could be other ways
to weaponize the flaw that has not come to light.

The patch arrives as a Chinese-speaking researcher briefly
published a GitHub commit that contained proof-of-concept (PoC)
exploit code for CVE-2022-22965 on March 30, 2022, before it was
taken down.

Spring.io, a subsidiary of VMware, noted that it was first
alerted to the vulnerability “late on Tuesday evening, close to
midnight, GMT time by codeplutos, meizjm3i of AntGroup FG Security
Lab.” It also credited cybersecurity firm Praetorian for reporting
the flaw.

References

  1. ^
    remote
    code execution flaw
    (thehackernews.com)
  2. ^
    CVE-2022-22965
    (tanzu.vmware.com)
  3. ^
    MVC
    (en.wikipedia.org)
  4. ^
    said
    (spring.io)
  5. ^
    said
    (www.praetorian.com)

Read more

Leave a Reply