The maintainers of Spring Framework have released an emergency patch to address a newly disclosed remote code execution flaw that, if successfully exploited, could allow an unauthenticated attacker to take control of a targeted system.
Tracked as CVE-2022-22965, the high-severity flaw impacts Spring Framework versions 5. 3.0 to 5.3. 17, 5. 2.0 to 5.2. 19, and other older, unsupported versions. Users are recommended to upgrade to versions 5.3. 18 or later and 5.2. 20 or later.
The Spring Framework provides infrastructure support for web application development.
“The vulnerability impacts Spring MVC [model–view–controller] and Spring WebFlux applications running on [Java Development Kit] 9+,” Rossen Stoyanchev of Spring.io said in an advisory published Thursday.
” This exploit is only available if the application runs on Tomcat with WAR deployment. The exploit isn’t possible if the application is installed as a Spring Boot executable container jar. Stoyanchev said that the vulnerability’s nature is much more complex and could be exploited in other ways.
“Exploitation requires an endpoint with DataBinder enabled (e.g., a POST request that decodes data from the request body automatically) and depends heavily on the servlet container for the application,” Praetorian researchers Anthony Weems and Dallas Kaman said.
However, Spring.io cautioned that the “nature” of the vulnerability was more widespread and suggested that other methods could exist to exploit the flaw.
The patch arrives as a Chinese-speaking researcher briefly published a GitHub commit that contained proof-of-concept (PoC) exploit code for CVE-2022-22965 on March 30, 2022, before it was taken down.
Spring.io, a subsidiary of VMware, noted that it was first alerted to the vulnerability “late on Tuesday evening, close to midnight, GMT time by codeplutos, meizjm3i of AntGroup FG Security Lab.” It also credited cybersecurity firm Praetorian for reporting the flaw.