CVE-2021-22060
Log Forging vulnerability in spring-core (Maven)
What is CVE-2021-22060 About?
This vulnerability is a Log Forging issue in Spring Framework versions 5.3.0-5.3.13 and 5.2.0-5.2.18, allowing users to inject additional log entries. It impacts the integrity and trustworthiness of log data. Exploitation is achieved through malicious input and is relatively easy.
Affected Software
- org.springframework:spring-core
- >5.2.0, <5.2.19
- >5.3.0, <5.3.14
Technical Details
This vulnerability, a follow-up to CVE-2021-22096, addresses additional types of input and more locations within the Spring Framework codebase where log forging can occur. It allows an authenticated or unauthenticated user to craft malicious input that, when processed by the Spring Framework, causes the insertion of additional, arbitrary log entries. This happens because the framework fails to properly sanitize or neutralize special characters (like newline or carriage return characters) within user-controlled input before logging them. An attacker can insert these control characters, followed by their own fake log content, to manipulate the log files. This can obscure legitimate activity, inject misleading information, or cover tracks, thereby compromising the integrity and reliability of the system's logging.
What is the Impact of CVE-2021-22060?
Successful exploitation may allow attackers to manipulate log files, obscure malicious activities, mislead incident response, and impact log-based auditing and security monitoring.
What is the Exploitability of CVE-2021-22060?
Exploitation is of low to moderate complexity, requiring an attacker to provide specially crafted input to the Spring Framework. Depending on the input vector, it may or may not require authentication. For example, if the input is processed from an unauthenticated API endpoint, no authentication is needed. No specific privileges are necessary beyond the ability to interact with the application that uses the vulnerable Spring Framework. This is typically a remote vulnerability, as the input often originates from network requests. The likelihood of exploitation increases for applications that log unprocessed user-supplied data, especially from external sources. The ease of exploitation is high, as it primarily involves injecting control characters into standard input fields.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-22060?
Available Upgrade Options
- org.springframework:spring-core
- >5.2.0, <5.2.19 → Upgrade to 5.2.19
- org.springframework:spring-core
- >5.3.0, <5.3.14 → Upgrade to 5.3.14
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://osv.dev/vulnerability/GHSA-6gf2-pvqw-37ph
- https://tanzu.vmware.com/security/cve-2021-22060
- https://nvd.nist.gov/vuln/detail/CVE-2021-22060
- https://tanzu.vmware.com/security/cve-2021-22060
What are Similar Vulnerabilities to CVE-2021-22060?
Similar Vulnerabilities: CVE-2021-22096 , CVE-2020-5398 , CVE-2020-5401 , CVE-2022-22978 , CVE-2022-22971
