March 31, 2022
Spring: 2 RCE Vulnerabilities, 1 Zero-Day
Multiple sources have reported of 2 remote code execution vulnerabilities.
One RCE affects ‘Spring Cloud Function’, and the second RCE is a critical zero-day vulnerability dubbed ‘Spring4Shell‘, affecting ‘Spring Core’ with JDK version 9.0 or newer, running specific configurations.
Currently, the ‘Spring4Shell’ vulnerability has only a workaround available.
Spring is a subsidiary of VMware. It offers development services through several platforms. ‘Spring Framework’ is an application framework and inversion of control container for the Java platform. ‘Spring Cloud’ is a cloud application development platform.
- , Medium Severity – In ‘Spring Cloud Function’ versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in access to local resources. This vulnerability is exploitable remotely and no privileges are required.
- , Critical – In ‘Spring Core’ with JDK 9.0 or newer, and in specific configurations, due to an unsafe deserialization of passed arguments, it is possible to plant a webshell on vulnerable systems using a POST request, which leads to remote code execution.
Products affected by CVE-2022-22963:
- ‘Spring Cloud Function’ versions 3.1.6, 3.2.2 and older, unsupported versions.
Products affected by Spring4Shell:
- ‘Spring Core’, with JDK versions 9.0 or newer with ‘DataBinder’ enabled, or other vulnerable configurations that are not yet discovered.
CYREBRO recommends upgrading to ‘Spring Cloud Function’ to versions 3.1.7 or 3.2.3 to fully mitigate the vulnerability.
As a temporary workaround of the vulnerability, CYREBRO recommends
CYREBRO will continue monitoring the vulnerability and update with any relevant developments.