Threat Response: SpringCore Remote Code Execution Vulnerability

31-03-2022

On Thursday the 31st of March a vulnerability in Spring Core Framework was published [1]. The vulnerability allows an attacker to perform a Remote Code Execution (RCE). The vulnerability is being tracked as CVE-2022-22965 [2]. Currently there is a known exploit available. In this message, we would like to inform you about the threat and the possible mitigations.

Description

An unauthenticated remote code execution vulnerability exists in the popular Java framework Spring Core. Spring Core is a set of Java libraries that allow for a structured way of developing applications. These applications can be run as a standalone or in a web application environment such as Tomcat. An attacker can use this vulnerability to execute arbitrary code in the context of the Spring applications. The exploit has varying levels of impact depending on the servlet container for the applications. The possibility may exist that these applications run under elevated rights. If the application is deployed using the Embedded Tomcat Servlet Container, the access is limited [1]. As such the acquired rights for the attacker can be different per application.

Applications deployed to Apache Tomcat are vulnerable to remote code execution if certain requirements are met. The vulnerability requires the application to run on JDK 9+ and successful exploitation of the vulnerability depends on the existence of an endpoint that accepts (specific) POST requests. Based on the currently available information, a vulnerable configuration requires the following:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

However, the nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet [1].

Risk

The vulnerable code is located in a popular library present in many Java based web applications. Because these types of applications are typically accessible directly from the internet, it is trivial for an attacker to access a vulnerable server and attack it. We therefore classify the risk as high.

Impact

If an attacker is successful in exploiting the vulnerability, they are able to execute arbitrary code and subsequently take over the server running the vulnerable application. All of this can be done remotely and without authentication. From the vulnerable server, the attacker can obtain access to the rest of the network. Because of these reasons, we classify the impact of this vulnerability as high.

Mitigation

There are several mitigations available for this vulnerability, however not all mitigations work are fully effective. The only way of resolving this vulnerability is by patching the Spring based application.[1].

New versions of Spring Core Framework, versions 5.3.18 and 5.2.20, are available at this moment [1].

New versions of Spring Boot, version 2.5.12 and 2.6.6, are available at this moment [1].

What should you do?

We recommend to update any Spring based application to the latest version as soon as possible.

What will Northwave do?

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.

E-mail: [email protected] Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909

Disclaimer applies, see below.

Sources

[1]: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

[2]: https://tanzu.vmware.com/security/cve-2022-22965

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.