Spring4Shell Zero-Day Vulnerability: Information and Remediation for CVE-2022-22965

CVE-2022-22965: Spring4Shell Zero-Day Vulnerability
Table of Contents

Updates

The Mend research team will update this blog and our Mend resources as we learn more about CVE-2022-22965.

April 13, 2022 –
“Data Binding Rules Vulnerability CVE-2022-22968” follow-up blog post published, related to the “disallowedFields” from the Suggested Workarounds

April 4, 2022 –
Am I Impacted with improved description of deployment requirements


April 2, 2022 –
Mend’s recommended actions to fix CVE-2022-22965 are below:

  1. Run an organization-wide inventory report.  We have also created our free Spring4Shell Detect tool, which quickly scans your projects to find the vulnerable Spring4shell versions.
  2. Search the inventory report for libraries with instances of the referenced vulnerability to identify impacted applications.
  3. Contact relevant teams and alert them to the urgency of upgrading to the fix.
  4. Here are the different relevant fixes: Users of affected versions should apply the necessary mitigations and/or remediation:
    • Mitigation Recommendations: See below.
    • Remediation Recommendations: Mend Vulnerability Database If you are running Mend Enterprise with Renovate, it will identify and recommend a pull request with the latest version of the top-level affected package. Adding the linked Renovate configuration will include transitive dependencies.

April 1, 2022 – 16:35 BST
Am I Impacted with additional notes

April 1, 2022 – 13:05 BST
Workarounds section for Apache Tomcat upgrades and Java 8 downgrades

April 1, 2022 – 12:51 BST
Apache Tomcat releases versions 10.0.209.0.62, and 8.5.78 which close the attack vector on Tomcat’s side, see mitigation alternative


March 31, 2022 – 4 PM BST
Spring Boot 2.6.6 is available
Spring Boot 2.5.12 is available
CVE-2022-22965 is published


Overview

The internet is abuzz with the disclosure of CVE-2022-22965, an RCE vulnerability in Spring, one of the most popular open-source frameworks for Java applications in use today. Known as “Spring4Shell” or “SpringShell”, the zero-day vulnerability has triggered widespread concern about the possibility of a wave of malicious attacks targeting vulnerable applications. Is this Log4j 2.0? 

This is a developing event, and there is still some lack of clarity regarding the specifics of this vulnerability. The Mend research team is carefully observing developments and researching the case and will update this page and our Mend resources as we learn more.  

Spring released an announcement regarding this vulnerability a few hours ago.

According to the announcement, CVE-2022-22965 affects Spring MVC (spring-webmvc) and Spring WebFlux (spring-webflux) when running on JDK 9 or above. In addition, the currently available exploit requires that the application be packaged as a WAR and deployed to Apache Tomcat. However, the Spring team emphasized that “the nature of the vulnerability is more general, and there may be other ways to exploit it”.

The vulnerability in Spring Beans allows attackers under certain circumstances to achieve remote code execution (RCE). Current PoC related to the attack is done by creating a specially crafted request which manipulates ClassLoader to successfully achieve RCE.

It is important to note that this is a separate case from CVE-2022-22963, which is related to Spring Cloud Function. In CVE-2022-22963, a malicious actor can provide a specially crafted SpEL as a routing-expression that may result in access to local resources. Again, CVE-2022-22963 is not Spring4Shell (CVE-2022-22965), and the two are not related. The confusion stems from the fact that both were disclosed at nearly the same time.

Mitigation guidance

At present, VMWare has officially released a confirmed patch related to CVE-2022-22965 and we highly recommend upgrading your software to Spring Framework 5.3.18. A backported fix is also available for Spring Framework 5.2.20.

While these two releases address the vulnerability, the release process for Spring Boot is still in progress.

Manage open source application risk

Recent resources

Mend.io is a Strong Performer in the Forrester Wave™ Software Composition Analysis, Q4 2024

See why Mend.io is recognized as a Strong Performer in The Forrester Wave™ Software Composition Analysis (SCA) Q4 2024 report.

Read more

Mend.io & HeroDevs Partnership: Eliminate Risks in Deprecated Package

Announcing an exclusive partnership between Mend.io and HeroDevs to provide support for deprecated packages.

Read more

All About RAG: What It Is and How to Keep It Secure

Learn about retrieval-augmented generation, one complex AI system that developers are using.

Read more