DESCRIPTION:
The Spring Framework is the most widely used lightweight open-source framework for Java. The issue relates to data binding used to populate an object from request parameters may cause Spring4shell vulnerability (CVE-2022-22965). Impacted systems have the following traits allow attackers for arbitrary code execution:
1. Running JDK 9.0 or later
2. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions
3. Apache Tomcat as the Servlet container.
4. Packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance; typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted
5. Tomcat has spring-webmvc or spring-webflux dependencies
AFFECTED RELEASES:
Spring Framework prior to 5.2.20
Spring Framework prior to 5.3.18
Spring Boot prior to 2.5.12
Spring Boot prior to 2.6.6
SOLUTION:
1. Users and system administrators of affected products are advised to apply the security updates listed below:
(1) For Spring Framework, please update to 5.2.20, 5.3.18 or above.
(2) For Spring Boost, please update to 2.5.12, 2.6.6 or above.
2. If you can’t update to the latest version, please refer the official webpage ” Suggested Workarounds”, and take action below:
(1) Upgrade Apache Tomcat to 10.0.20, 9.0.62, 8.5.78 or above.
(2) Downgrading to Java 8.
(3) Disable binding to particular fields by setting “disallowedFields” on “WebDataBinder” globally
REFERENCE:
1. https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
2. https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative
3. https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/