Skip to main content

Spring Remote Code Execution Vulnerability

Last Update Date: 11 Apr 2022 Release Date: 1 Apr 2022 3747 Views

RISK: High Risk

TYPE: Security software and application - Security Software & Appliance

TYPE: Security Software & Appliance

A vulnerability has been identified in Spring. A remote attacker can exploit this vulnerability to trigger remote code execution on the targeted system.

 

PoC exploit exists for application running

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as a traditional WAR
  • spring-webmvc or spring-webflux dependency

 

[Updated on 2022-04-11]

Updated System / Technologies affected, Solutions, Source and Related Links.


Impact

  • Remote Code Execution

System / Technologies affected

  • Spring Boot version prior to 2.6.6
  • Spring Boot version prior to 2.5.12
  • Spring Framework version prior to 5.3.18
  • Spring Framework version prior to 5.2.20

 

[Updated on 2022-04-11]

 

For Cisco Products

For detail, please refer to the links below:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67

 

For Apache Tomcat 

For detail, please refer to the links below:

https://tomcat.apache.org/

 

 


Solutions

Before installation of the software, please visit the vendor web-site for more details.

 

Apply fixes issued by the vendor:

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

 

[Updated on 2022-04-11]

 

For Cisco Products

For detail, please refer to the links below:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67

 

Mitigation Alternative

For Apache Tomcat 

For detail, please refer to the links below:

https://tomcat.apache.org/

Note: Harden the class loader to provide a mitigation for CVE-2022-22965 a Spring Framework vulnerability.

 

 


Vulnerability Identifier


Source


Related Link