External risk intelligence

Spring Framework Remote Code Execution Vulnerability

CVE advisoryKnown Exploit

CVE-2022-22965

A vulnerability in the Spring Framework could allow unauthorized code execution, impacting organizations using affected applications. This poses a business risk as attackers could gain control of systems, potentially leading to data breaches or service disruptions. Applying vendor-provided updates is recommended.

5Halo Surface Signal

Code Injection

Vmware Spring Framework

before 5.2.205.3.0 to before 5.3.18before 2.1.01.9.022.1.01.10.01.15.01.8.01.7.012.6.0.0.08.1.18.1.2.08.1.1.08.1.1.1before 8.0.293.6.120.0.121.0.09.09.1befor...

External exposure likelihood

Halo Surface Signal score for CVE-2022-22965

This vulnerability affects the Spring Framework, a ubiquitous foundation for internet-facing web applications and public-facing APIs. Given its central role in modern web architecture, vulnerable deployments are overwhelmingly likely to be directly reachable via the public internet as part of standard web service operations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists within Spring MVC and Spring WebFlux applications running on Java Development Kit (JDK) version 9 and newer. This flaw, specifically when applications are deployed as a WAR file on Tomcat, allows for unauthorized remote code execution. This could create significant business risk by potentially compromising systems and data.

  • Vulnerable: Spring MVC/WebFlux applications on JDK 9+
  • Flaw: Data binding allows remote code execution
  • Impact: System compromise and data loss

Attack Path

How an attacker could exploit the issue

A Spring MVC or Spring WebFlux application, when deployed as a WAR on Tomcat and running on JDK 9 or later, presents an exposure condition. An unauthenticated attacker can access the system externally without requiring user interaction. The attacker triggers the vulnerability through data binding, leading to unauthorized control or impact.

  • Application exposed externally.
  • Unauthenticated attacker gains access.
  • Data binding triggers remote execution.
  • Attacker achieves system control.

Live Threat

Current exploitation, exposure, and threat context

The Spring Framework can be exploited through data binding vulnerabilities when running on JDK 9 or later, specifically when deployed as a WAR file on Tomcat. Applications using Spring Boot's default executable jar deployment are not affected by this particular exploit path. However, the underlying vulnerability is more generalized, meaning other exploitation methods might exist. This vulnerability presents a significant risk due to its potential for remote code execution, allowing attackers to gain control of affected systems.

  • Attackers with low skill level.
  • Applications deployed as WAR on Tomcat.
  • High business risk and urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A critical vulnerability has been identified in certain Spring Framework applications running on JDK 9 or later when deployed as a WAR file. This vulnerability allows for remote code execution, posing a significant risk to affected systems. Organizations should take immediate steps to identify and mitigate potential exposure to this threat.

  • Find affected assets.
  • Reduce exposure or isolate risk.
  • Fix, verify, and monitor.

Frequently asked questions

What is the Spring Framework and its role in application development?

The Spring Framework is a widely-used open-source framework for building Java applications, especially web applications and APIs. It simplifies the creation of robust, scalable enterprise-level software through its comprehensive programming and configuration model. Many modern web services leverage the Spring Framework for their backend operations.

How does CVE-2022-22965 lead to remote code execution?

CVE-2022-22965 is a critical vulnerability (CWE-94) enabling remote code execution. It exploits improper neutralization of special elements in code within Spring MVC or Spring WebFlux applications running on JDK 9 or later. This can allow attackers to run arbitrary code on the affected system.

What specific conditions are required to exploit CVE-2022-22965?

Exploitation of CVE-2022-22965 requires an application to be deployed as a WAR file on Tomcat. If the application is packaged as a default Spring Boot executable JAR, it is not vulnerable to this particular exploit. However, the underlying weakness is more general and may be exploitable through other means.

How does Halo Surface Signal assess the risk of CVE-2022-22965?

Halo Surface Signal identifies CVE-2022-22965 as 'Very likely' to be exploited. This is due to the Spring Framework's widespread use in internet-facing web applications and public APIs, making vulnerable deployments highly accessible via the public internet.

What is the recommended action for mitigating CVE-2022-22965?

The recommended action to address CVE-2022-22965 is to apply updates and patches provided by the vendor. Staying current with software updates is a crucial step in protecting against known vulnerabilities and maintaining a secure application environment.

References

Cyber Threat Intelligence (CTI)

Sources: malpedia

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified