![]() The attacker is able to call functions that should not normally be accessible, including runtime exec calls. The CVE-2022-22963 flaw occurs in the Spring Cloud Function module, via the -expression header that is modified by the attacker to contain malicious expression language code. There may be other exploit paths than this, including using an alternative to Tomcat. No protections in place against malicious data bindings (ex: WebDataBinder allow list) Spring-webmvc or spring-webflux dependency There are several conditions required to achieve this exploit via the published Proof of Concept: The reporter of this flaw provided a proof-of-concept that relied on Apache Tomcat it accessed the classloader and changed logging properties to place a web shell in Tomcat's root directory, and was able to call various commands subsequently. The CVE-2022-22965 flaw in Spring MVC and Spring WebFlux uses parameter data binding, a way of mapping request data into objects the application can use. Remove spring-webmvc or spring-webflux dependencies.įor CVE-2022-22963, no other mitigation steps are currently available and affected customers should update immediately as soon as patched software is available. For customers who cannot update immediately, risk and exposure can be reduced by the following measures:ĭeploy Spring as an executable jar instead of a WAR file. Mitigationįor CVE-2022-22965, Red Hat Product Security strongly recommends affected customers update their affected products once the update is available. ![]() Spring has released fixes for Spring Cloud Function, 3.1.7 and 3.2.3.Īffected customers should update the software as soon as patched software is available. A payload of expression language code results in arbitrary execution by the Cloud Function service. The CVE-2022-22963 flaw was found in Spring Cloud function, in which an attacker could pass malicious code to the server via an unvalidated HTTP header, -expression. Red Hat Product Security advises everyone using the affected software to upgrade to fixed versions as soon as possible. The CVE advisory cautions that the vulnerability is "general, and there may be other ways to exploit it." The details are in Spring.io's early announcement post. Spring has provided update fixes (Spring Framework 5.2.20 & 5.3.18). An attacker can pass in specially-constructed malicious requests with certain parameters and possibly gain access to normally-restricted functionality within a Java Virtual Machine. The CVE-2022-22965 flaw lies in Spring Framework, specifically in two modules called Spring MVC and Spring WebFlux. ![]() “Affected” means that the vulnerability is present in the product’s code, irrespective of the usage or mitigations, which may be addressed if the product is vulnerable. The following Red Hat product versions are affected. The Spring MVC flaw CVE-2022-22965 has been branded Spring4Shell by the finder, and rated with a severity impact of Important. Red Hat Product Security rated CVE-2022-22963 (Spring Cloud) as a Critical impact. There are published proof of concept attacks that can lead to remote code execution and reports of exploitations of this vulnerability. Red Hat Product Security is aware of two vulnerabilities affecting the Spring MVC (CVE-2022-22965) and Spring Cloud (CVE-2022-22963) components of the Spring Framework.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |