Critical Spring Framework RCE Vulnerability
On March 29, 2022, a Critical Day 0 vulnerability was officially reported by Spring by VMware that affects Spring MVC and Spring WebFlux applications (CVE-2022-22965). This document describes the vulnerability, what Lacework is doing to provide you with the appropriate coverage, and what you should be doing to protect your organization.
Remediation (based on guidance from Github)
Upgrade the following:
- org.springframework.boot:spring-boot-starter-web to 2.5.12 and 2.6.6
- org.springframework.boot:spring-boot-starter-webflux to 2.5.12 and 2.6.6
- org.springframework:spring-beans to 5.2.20 and 5.3.18
- org.springframework:spring-core to 5.2.20 and 5.3.18
- org.springframework:spring-webflux to 5.2.20 and 5.3.18
- org.springframework:spring-webmvc to 5.2.20 and 5.3.18
What is the Spring Framework RCE via Data Binding on JDK 9+?
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
What has Lacework been doing to protect you since the vulnerability was announced?
As of March 31, 2022 at 8:30pm PT, all active container images for all customers have been re-evaluated for this vulnerability. If this vulnerability was identified in your environment, it appears as a Critical vulnerability (CVE-2022-22965) for all affected packages in your vulnerability dashboard, and Lacework recommends that you take action as soon as possible to remediate it.
While the presence of these packages indicates a POTENTIAL vulnerability, there are additional dependencies required for exploitation:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- spring-webmvc or spring-webflux dependency
Additional investigation is required to determine whether your applications are specifically vulnerable, however, we recommend upgrading even if the exploit conditions are not met to prevent risk of exploitation if your configuration changes in the future or new attack vectors are discovered.
This is how you can check for the vulnerability in container images
Under Vulnerabilities > Containers, select Group by Image ID and Advanced search CVE includes, CVE-2022-22965. If it’s not already selected, select Active in last 24 hours.
The packaging dependency (WAR) lends itself more to non-container deployments where you first install Tomcat and then deploy applications as WAR files.
Detecting potential resulting exploits in run time
CVE-2022-22965 is a remote code execution (RCE) vulnerability and, at run time, exploits can be used to take complete control of applications as well as containers. However, an exploited workload will show signs of network activity from unknown servers or could show unusually heavier activity from known sources.
Lacework’s anomaly detection techniques allow customers to identify unusual network activities that can be investigated with the Polygraph visual representations, or through events originating from hosts or containers impacted by such vulnerabilities.
Lacework Labs will be monitoring for post-exploit activity, including historical data. We will provide specific recommendations to customers if a compromise is detected.
See The OAST with the most - Lacework, our most recent blog post on finding exploitable vulnerabilities in web applications.
What is the recommended remediation?
It is critical that you upgrade Spring to the noted versions above to remediate this vulnerability.