On the 30th of March, 2022, a new zero-day CVE was discovered, named CVE-2022-22965, in applications that run on Tomcat as a WAR deployment having Spring MVC or Spring WebFlux running on JDK 9+. Such applications may be vulnerable to remote code execution (RCE) via data binding. The bug exists in the getCachedIntrospectionResults method, which can be used to gain unauthorized access to such objects by passing their class names via an HTTP request. It creates the risks of data leakage and remote code execution when special object classes are used. The vulnerability is remotely exploitable without authentication, i.e., it can be exploited over a network without a username and password.
Below are the prerequisites to exploit this vulnerability:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency
Due to the severity of this vulnerability, Sentinelone strongly recommends that customers apply the updates and upgrade the Spring 5.3.x versions to 5.3.18+ and 5.2.x versions to 5.2.20+.
About the vulnerability
Spring MVC and WebFlux are Java frameworks used to build web applications. It follows the Model-View-Controller design pattern. In addition, it implements all the basic features of a core spring framework, like Inversion of Control and Dependency Injection.
For example, when Spring is deployed to Apache Tomcat, the WebAppClassLoader is accessible, allowing an attacker to call getters and setters to write a malicious JSP file to disk. The attacker will invoke any server endpoint with a malicious payload and write a malicious JSP file to the disk. The exploit lets an attacker execute malicious JSP code on the vulnerable server.
Additionally, the vulnerability can be exploited to allow unauthorized remote code execution on the affected servers. Hackers are still utilizing the recently discovered exploit to attack the servers.
Affected systems
Various applications and cloud services using Spring MVC and WebFlux frameworks are under the radar of this attack. However, security researchers have already discovered that the CVE-2022-22965 vulnerability can be exploited on the servers of large companies.
It is highly recommended to upgrade the Spring 5.3.x to 5.3.18+ and 5.2.x to 5.2.20+.
The following versions of Spring Framework are impacted:
- 5.3.0 to 5.3.17
- 5.2.0 to 5.2.19
- Older, unsupported versions are also affected.
Steps for remediation
The latest version of Spring Framework has been released on the Official website. You can download it and upgrade your service to use the newest version.