CYREBRO Resources

E-Books & Guides

Spring: 2 RCE Vulnerabilities, 1 Zero-Day

  • Threat Intelligence

March 31, 2022

 Spring: 2 RCE Vulnerabilities, 1 Zero-Day

Multiple sources have reported of 2 remote code execution vulnerabilities.

One RCE affects ‘Spring Cloud Function’, and the second RCE is a critical zero-day vulnerability dubbed ‘Spring4Shell‘, affecting ‘Spring Core’ with JDK version 9.0 or newer, running specific configurations.

Currently, the ‘Spring4Shell’ vulnerability has only a workaround available.

Spring is a subsidiary of VMware. It offers development services through several platforms. ‘Spring Framework’ is an application framework and inversion of control container for the Java platform. ‘Spring Cloud’ is a cloud application development platform.

The Vulnerabilities

  • CVE-2022-22963, Medium Severity – In ‘Spring Cloud Function’ versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in access to local resources. This vulnerability is exploitable remotely and no privileges are required.
  • Spring4ShellCritical – In ‘Spring Core’ with JDK 9.0 or newer, and in specific configurations, due to an unsafe deserialization of passed arguments, it is possible to plant a webshell on vulnerable systems using a POST request, which leads to remote code execution.

Affected Products

Products affected by CVE-2022-22963:

  • ‘Spring Cloud Function’ versions 3.1.6, 3.2.2 and older, unsupported versions.

Products affected by Spring4Shell:

  • ‘Spring Core’, with JDK versions 9.0 or newer with ‘DataBinder’ enabled, or other vulnerable configurations that are not yet discovered.

Mitigation

CVE-2022-22963

CYREBRO recommends upgrading to ‘Spring Cloud Function’ to versions 3.1.7 or 3.2.3 to fully mitigate the vulnerability.

Workaround 

for ‘Spring4Shell’

As a temporary workaround of the vulnerability, CYREBRO recommends creating a ‘ControllerAdvice’ component (a Spring component shared across Controllers) and adding the following patterns to the denylist:

import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.InitBinder;
@ControllerAdvice
@Order(10000)
public class BinderControllerAdvice {
    @InitBinder
    public void setAllowedFields(WebDataBinder dataBinder) {
         String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
         dataBinder.setDisallowedFields(denylist);
    }
}

CYREBRO will continue monitoring the vulnerability and update with any relevant developments.

References: VMware advisory, Bleeping Computer

Back to Resources

Sign Up for Updates