Spring Cloud Function and Spring Framework Remote Code Execution Vulnerabilities

Spring Cloud Function and Spring Framework Remote Code Execution Vulnerabilities

Within the framework of CVE-2022-22963; in Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

Within the framework of CVE-2022-22965; it has been revealed that a new vulnerability on Spring MVC or Spring WebFlux applications may lead to remote code execution on affected systems. At this time, it’s thought that the Spring MVC or Spring WebFlux applications run as WAR deployments on Tomcat are vulnerable, however; as the nature of the vulnerability is more general, there may be other yet unknown exploits using this vulnerability, either now or in the future (For these vulnerabilities, no analyses have been made and no CVSS scores have been assigned by NIST yet).

Affected Systems

Applications that meet the criteria below are thought to be affected;

CVE-2022-22963;

• Spring Cloud Function version 3.1.6,
• Spring Cloud Function version 3.2.2,
• Older, unsupported versions are also affected.

CVE-2022-22965;

• Running on JDK version 9+ (or equivalent),
• Using Apache TomCat as the servlet container,
• Packaged as WAR,
• Dependent on spring-webmvc or spring-webflux.

IoC’s

-

Recommended Solution(s)

The following mitigations have been suggested;

CVE-2022-22963;

• Upgrade to Spring Cloud Function version 3.1.7 or 3.2.3

CVE-2022-22965;

• Upgrade to Spring version at least 5.3.18 or Spring version at least 5.2.20

To avoid the effects of these vulnerabilities; it is recommended to follow the steps prepared by our technical team for McAfee IPS.

CVE / CWE

CVE-2022-22963, CVE-2022-22965

Related Website(s)

• https://tanzu.vmware.com/security/cve-2022-22963
• https://tanzu.vmware.com/security/cve-2022-22965
• https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

* Vulnerabilities with a CVSS 3.1 score between 7.0 and 8.9 are evaluated to be “high” whereas vulnerabilities with a CVSS 3.1 score between 9.0 and 10.0 are evaluated to be “critical”.