March 31, 2022

 Spring: 2 RCE Vulnerabilities, 1 Zero-Day

Multiple sources have reported of 2 remote code execution vulnerabilities.

One RCE affects ‘Spring Cloud Function’, and the second RCE is a critical zero-day vulnerability dubbed ‘Spring4Shell‘, affecting ‘Spring Core’ with JDK version 9.0 or newer, running specific configurations.

Currently, the ‘Spring4Shell’ vulnerability has only a workaround available.

Spring is a subsidiary of VMware. It offers development services through several platforms. ‘Spring Framework’ is an application framework and inversion of control container for the Java platform. ‘Spring Cloud’ is a cloud application development platform.

The Vulnerabilities

• CVE-2022-22963, Medium Severity – In ‘Spring Cloud Function’ versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in access to local resources. This vulnerability is exploitable remotely and no privileges are required.
• Spring4Shell, Critical – In ‘Spring Core’ with JDK 9.0 or newer, and in specific configurations, due to an unsafe deserialization of passed arguments, it is possible to plant a webshell on vulnerable systems using a POST request, which leads to remote code execution.

Affected Products

Products affected by CVE-2022-22963:

• ‘Spring Cloud Function’ versions 3.1.6, 3.2.2 and older, unsupported versions.

Products affected by Spring4Shell:

• ‘Spring Core’, with JDK versions 9.0 or newer with ‘DataBinder’ enabled, or other vulnerable configurations that are not yet discovered.

Mitigation

CVE-2022-22963

CYREBRO recommends upgrading to ‘Spring Cloud Function’ to versions 3.1.7 or 3.2.3 to fully mitigate the vulnerability.

Workaround 

for ‘Spring4Shell’

As a temporary workaround of the vulnerability, CYREBRO recommends creating a ‘ControllerAdvice’ component (a Spring component shared across Controllers) and adding the following patterns to the denylist:

import org.springframework.core.Ordered;

import org.springframework.core.annotation.Order;

import org.springframework.web.bind.WebDataBinder;

import org.springframework.web.bind.annotation.ControllerAdvice;

import org.springframework.web.bind.annotation.InitBinder;

@ControllerAdvice

@Order(10000)

public class BinderControllerAdvice {

    @InitBinder

    public void setAllowedFields(WebDataBinder dataBinder) {

         String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};

         dataBinder.setDisallowedFields(denylist);

    }

}

CYREBRO will continue monitoring the vulnerability and update with any relevant developments.

References: VMware advisory, Bleeping Computer