CVE-2022-22965
Remote Code Execution vulnerability in org.springframework:spring-beans
What is CVE-2022-22965 About?
Spring Framework versions prior to 5.2.20 and 5.3.18 are affected by a remote code execution vulnerability, dubbed 'Spring4Shell'. This critical flaw can allow attackers to execute arbitrary code on affected systems, typically when running on specific configurations like Tomcat with JDK 9+ as a WAR deployment. Exploitation is complex but can have severe consequences.
Affected Software
- org.springframework:spring-beans
- <5.2.20.RELEASE
- >5.3.0, <5.3.18
- org.springframework:spring-webmvc
- <5.2.20.RELEASE
- >5.3.0, <5.3.18
- org.springframework.boot:spring-boot-starter-web
- <2.5.12
- >2.6.0, <2.6.6
- org.springframework:spring-webflux
- <5.2.20.RELEASE
- >5.3.0, <5.3.18
- org.springframework.boot:spring-boot-starter-webflux
- <2.5.12
- >2.6.0, <2.6.6
Technical Details
The 'Spring4Shell' vulnerability (CVE-2022-22965) is a Remote Code Execution (RCE) flaw in Spring Framework versions prior to 5.2.20 and 5.3.18. It primarily affects Spring MVC or Spring WebFlux applications running on JDK 9 or higher, specifically when deployed on Apache Tomcat as a WAR file. The exploit leverages data binding mechanisms where an attacker can craft malicious requests to bind to specific sensitive properties within the application's environment. By manipulating these properties, particularly those related to Tomcat's classloader or logging configurations, an attacker can write a shell or JSP file to an accessible web directory, leading to arbitrary code execution. While the specific exploit targets Tomcat WAR deployments, the underlying vulnerability in Spring's data binding is broader, suggesting other potential exploitation vectors.
What is the Impact of CVE-2022-22965?
Successful exploitation may allow attackers to execute arbitrary code on the affected system, leading to full compromise of the application, underlying server, and potential data exfiltration.
What is the Exploitability of CVE-2022-22965?
Exploitation of this RCE vulnerability is of high complexity, requiring several specific prerequisites. The target application must be a Spring MVC or Spring WebFlux application, running on JDK 9 or higher, deployed as a WAR file on Apache Tomcat. While the direct exploit requires this specific Tomcat/WAR configuration, the general nature of the data binding vulnerability suggests other potential exploitation paths could exist. No specific authentication or privilege requirements are mentioned for the direct RCE, as it exploits the application's handling of incoming data. The attack is remote, allowing an attacker to trigger code execution over the network. The combination of JDK 9+, Tomcat, and WAR deployment are critical risk factors that significantly increase the likelihood of successful exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| reznok | Link | Dockerized Spring4Shell (CVE-2022-22965) PoC application and exploit |
| BobTheShoplifter | Link | Spring4Shell Proof Of Concept/And vulnerable application CVE-2022-22965 |
| TheGejr | Link | Spring4Shell - Spring Core RCE - CVE-2022-22965 |
What are the Available Fixes for CVE-2022-22965?
About the Fix from Resolved Security
This patch prevents binding to properties of type ClassLoader and ProtectionDomain, and restricts property binding on Class objects to exclude anything except name-related properties. This addresses CVE-2022-22965 by blocking attackers from exploiting the data binding mechanism to manipulate class loader or protection domain properties, which could otherwise allow remote code execution in certain configurations.
Available Upgrade Options
- org.springframework.boot:spring-boot-starter-web
- <2.5.12 → Upgrade to 2.5.12
- org.springframework.boot:spring-boot-starter-web
- >2.6.0, <2.6.6 → Upgrade to 2.6.6
- org.springframework:spring-beans
- <5.2.20.RELEASE → Upgrade to 5.2.20.RELEASE
- org.springframework:spring-beans
- >5.3.0, <5.3.18 → Upgrade to 5.3.18
- org.springframework:spring-webflux
- <5.2.20.RELEASE → Upgrade to 5.2.20.RELEASE
- org.springframework:spring-webflux
- >5.3.0, <5.3.18 → Upgrade to 5.3.18
- org.springframework:spring-webmvc
- <5.2.20.RELEASE → Upgrade to 5.2.20.RELEASE
- org.springframework:spring-webmvc
- >5.3.0, <5.3.18 → Upgrade to 5.3.18
- org.springframework.boot:spring-boot-starter-webflux
- <2.5.12 → Upgrade to 2.5.12
- org.springframework.boot:spring-boot-starter-webflux
- >2.6.0, <2.6.6 → Upgrade to 2.6.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-22965
- https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf
- https://github.com/spring-projects/spring-boot/releases/tag/v2.5.12
- https://github.com/spring-projects/spring-boot/releases/tag/v2.6.6
- https://github.com/spring-projects/spring-framework/releases/tag/v5.2.20.RELEASE
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
- https://github.com/spring-projects/spring-framework/releases/tag/v5.3.18
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67
What are Similar Vulnerabilities to CVE-2022-22965?
Similar Vulnerabilities: CVE-2010-1622 , CVE-2011-2730 , CVE-2017-8046 , CVE-2018-1258 , CVE-2018-1273
