Spring4Shell — A new Vulnerability?
2 new vulnerabilities were discovered in the Spring Core java library on March 29, 2022. Any system using JDK 9.0 or later and using the Spring Framework or derivative frameworks should be considered vulnerable. The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CVE-2022–22963 : In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
CVE-2022–22965 : A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Spring Core is a popular library, similar to Log4j which spawned the infamous log4shell vulnerability. The vulnerability allows a remote unauthenticated attacker to access exposed Java class objects which in turn can lead to Remote Code Execution (RCE). The vulnerability has high impacts on confidentiality, integrity, and availability, as well as the technical details that are publicly available making it easy to exploit.
While there was initial debate about how serious the bug is, sleuthing by security researchers in the days afterwards after the flaw was discovered revealed that Spring4Shell was indeed a serious bug that warranted attention. The US Cybersecurity and Infrastructure Security Agency (CISA) on April 1 urged all US organizations, including federal agencies, to patch it immediately. On April 4, CISA added the bug to its catalog of known exploited vulnerabilities, which requires federal agencies to patch it within a deadline.
The preferred response is to update to Spring Framework 5.3.18 and 5.2.20 or greater. If you have done this, then no workarounds are necessary. However, some may be in a position where upgrading is not possible to do quickly. For that reason, we have provided some workarounds below.
- Upgrading Tomcat
- Downgrading to Java 8
- Disallowed Fields