Fluid Attacks Database

Description

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	libspring-java	=4.3.30-1 \|\| =4.3.30-2 \|\| =4.3.30-3 \|\| =4.3.30-4	-
maven	org.springframework:spring-beans	>=0 <5.2.20.release \|\| >=5.3.0 <5.3.18	5.2.20.release, 5.3.18
debian 14	libspring-java	=4.3.30-3 \|\| =4.3.30-4	-
debian 12	libspring-java	=4.3.30-2 \|\| =4.3.30-3 \|\| =4.3.30-4	-
debian 13	libspring-java	=4.3.30-3 \|\| =4.3.30-4	-
maven	org.springframework:spring-webmvc	>=0 <5.2.20 \|\| >=5.3.0 <5.3.18	5.2.20.release, 5.3.18
maven	org.springframework:spring-webflux	>=0 <5.2.20 \|\| >=5.3.0 <5.3.18	5.2.20.release, 5.3.18
maven	org.springframework.boot:spring-boot-starter-web	>=0 <2.5.12 \|\| >=2.6.0 <2.6.6	2.5.12, 2.6.6
maven	org.springframework.boot:spring-boot-starter-webflux	>=0 <2.5.12 \|\| >=2.6.0 <2.6.6	2.5.12, 2.6.6
maven	org.springframework.boot:spring-boot	>=2.5.0 <2.5.12 \|\| >=2.6.0 <2.6.6	2.5.12, 2.6.6

Aliases

1. CVE-2022-229652. NVD-2022-229653. OSV-DEBIAN-2022-229654. OSV-2022-229655. GCVE-2022-229656. SECURITY-TRACKER-CVE-2022-22965

References

1. https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb152. https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf3. https://github.com/spring-projects/spring-boot/releases/tag/v2.5.124. https://github.com/spring-projects/spring-boot/releases/tag/v2.6.65. https://github.com/spring-projects/spring-framework/releases/tag/v5.2.20.RELEASE6. https://github.com/spring-projects/spring-framework/releases/tag/v5.3.187. https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-00058. https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement9. https://tanzu.vmware.com/security/cve-2022-2296510. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc6711. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-2296512. https://www.kb.cert.org/vuls/id/97076613. https://www.oracle.com/security-alerts/cpuapr2022.html14. https://www.oracle.com/security-alerts/cpujul2022.html15. http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html16. http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html17. https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#suggested-workarounds18. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-22965.yaml19. https://github.com/BobTheShoplifter/Spring4Shell-POC20. https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/spring_framework_rce_spring4shell.rb

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.