Spring Core RCE (CVE-2022–22965) -A Deep Understanding

In this post, I provide a detailed explanation of CVE-2022–22965, providing the necessary background and a deep comprehensive understanding of the vulnerability.

We aim to answer the following questions:

• What is CVE-2022–22965 ( how is it linked to CVE-2010–1622) ?
• Why does it affects only JDK9+?
• Why does it only affects Spring default binding?
• Why does it only affects Spring applications deployed on Tomcat using WAR packaging?
• Why does the suggested temporary workaround works ?
• How did Spring team fixed CVE-2022–22965?

If you are not familiar with Tomcat jsp files, going quickly through this article is enough.

If you’re not too technical, you can skip straight to Exploiting Tomcat ClassLoader.

Many PoCs are available, for example this one: https://github.com/TheGejr/SpringShell. To set up a suitable environment for applying the PoC you can have a look here (or).

Spring Binding Background

Data binding is useful for allowing user input to be dynamically bound to the domain model of an application (or whatever objects you use to process user input). Spring provides the so-called DataBinder to do exactly that.